23542300x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.738{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B72D1B55DAEBFEDD590774AFBF52D,SHA256=2E0D73C038613D5BFD1916EE12AA2DCCB10E35F2C6A3CC53056CF65948E94EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.738{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68B2086ABC5D0FB54FCE9AB1C61D920,SHA256=59A5B85F905A5BADAB49790496CBAF77E0860EC71746B8056A63AEC0FF9679FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:35.400{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D23C3B49B7B63AB623CEC06347641F7,SHA256=398401A8EAC173B3BDF4430507EFBDEBB4BCAA669681E8887CC785F87E766EFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.442{6F8252D3-CE47-616F-5902-000000000602}10002992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.209{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.926{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.754{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5EDAA290A0F911ABE3FC28A75F67B2,SHA256=88FF3A2A9BE271412CE6AB1B6823324783CB9D88455C5C8B791D06C2A34BBB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:36.419{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135C40982BCEBC031FC3E8D71D7660A9,SHA256=07E0FB282E3814520077ADA109499DAEBF59A4C3A882B2959F7880407525E5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:34.671{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50509-false10.0.1.12-8000- 10341000x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.942{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:37.419{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E489E60631C15C713C40EEC957529826,SHA256=D4179DD2C9660CB2E0B96C0EA44EF97BA138AE07FE81D46CF7FA74EE6F87E208,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.754{6F8252D3-CE49-616F-5B02-000000000602}11683024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.426{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.160{6F8252D3-CE48-616F-5A02-000000000602}37841556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:38.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7F28C31CABB680093989C945FB8CB9,SHA256=A256BE621B265A5AD7B9840E8D50F9AECB95142945E4A48995ECFE5BB0C2B465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98295537066EB346182B41D9BA309186,SHA256=73C38F4B432C29CAD763CAA55C4199BAE5C1F871E66531E19F5ECFFB413C66F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8082889414DF4280EA9D8CED92EDE29F,SHA256=11091671BBF8E7B6BE074718A9AF1B2F2DA3EA8C4B8257822B000D103CFA2DC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.160{6F8252D3-CE49-616F-5C02-000000000602}28483652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:35.525{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55985-false10.0.1.12-8000- 23542300x8000000000000000102173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:39.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B415AAE147560146A6E7DA77B26786A2,SHA256=EEC203A688999B33D56681194B2A9F106C1FE4F91420046FECDEAE0C180D719B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.645{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.175{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5A04B82A7C36492653C3F92AB2604,SHA256=48E3F378308B895E0ACB5D4F90D2DCEF54E703A6BBCF88BDCABB02434A0C0721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.175{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E408FB267434D6A006ED45F50C8F6B8,SHA256=7FE5C2DB9107514E2FA583B4DC1D322948427D118411C6027445562FFDC54B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:40.675{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B27EE74885E22D9521A6C7BA56D1C4,SHA256=47CA0D25E52F4FCF561FEF1730A877B59B19D61757D033BB2164A9B35DFA7D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:40.269{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4669AE8826AE9A2D56E0E3EC08A3E8,SHA256=A0FB42674CD74B05D619A22C3677DE0927EE0746076A45325E121C22D63B2124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:40.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20DC963443CDFBB7435CAC281906E9,SHA256=488A3420EF753C4AFFC8D46D0A1066259E75BFBE07378071F963FE6B9920E296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:41.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD2272CB67A3745C1B17CA9977CE48D,SHA256=EE642AFEBA67BA0E6E8EC833893F5D31228AF6BC55C61166BFAA4F3FC22F25A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.810{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50510-false10.0.1.12-8000- 23542300x800000000000000083553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:41.363{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF62C59A58B3F4FB0BDF09EA72418490,SHA256=8E58A0B1D91288EE079F33DB5F30A32B0A506742350A84485B770D7B8F582B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:42.379{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEA466715E1422BF146BBFB24517C43,SHA256=7AE69D6D241179DD737041B121781E9859172B9697B73A60DA4666861A631FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:42.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CCA1BA1A6C11883F7DAFE5977E847E,SHA256=1A6899586274E42ECDE0917B0590282C644E3B59F9822C3B6F25ED1EACD38C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:43.394{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303DD25E2CC17FFCFAC7254EE3DD3DE6,SHA256=6364F4EF6AFBE66F88FC4C3989CEED08342D39025CC1D23225B3378AD80ACF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:43.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C959AABDD2AC6C4D3771296A3D938C93,SHA256=FA47F6DAC3E725426BEB1E45334E3CA685D8F72BF29148707C7B54DB39F4B00A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:40.713{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55986-false10.0.1.12-8000- 23542300x800000000000000083557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:44.425{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B13FCFA939268ECC736CE0A6079CA9F,SHA256=728C85A93220D8BC98696A809221E1DE79AB11462121E07523F30CF27E7A298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:44.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0EB4E6238C47BF092952D2F92D3B04,SHA256=3A39AB7168204B2E8DC60D33EE3517191DCF7092C9BD896638A15D6F8B417251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:45.519{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422E29F23DC0F0FF16B46A2B705BB0A9,SHA256=83D002A3412B1365C59703DEF86033126B592469E4E57B94766221FB0180F592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:45.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A900A9B916854F143B769BE7DB7E0,SHA256=6963BFE64B8411B5D43717D10D0816E3AABD02207DA01865EDCE705BD47CC53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:46.628{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017C29EB33F549DABB821BC14798246,SHA256=8653DCD5AEDFC53F2B7CBD2C07FA73A6FDEEAF8B66122497B722DFAD7F801A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:46.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BDA51AE290C14E882F0A3F727AED3F,SHA256=13DCB5231AFB3EB8B3487415AD75D63F60A7E993AFE16CD1C987667384C97135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:47.644{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E97BB8B3613BF62EDE416A30E2C39B9,SHA256=75418CF9700F0478D448948DCF88512B290B16E1D2403452B459E528AEE7A03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:47.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F8B990821EC452C4CBAE92A5CDE912,SHA256=1F7487759E8E8FE8FE67D3A572CB6AF358A3404ED36B9A5805DC28F3C08265C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:48.660{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A647E868751748221848E078619CF17D,SHA256=F2AADC1766033AA7810B965A28784B5867F31C9E41728C5C1282614531D204D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:48.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4176B871DE7A646E989C31C24469A3D9,SHA256=4D926E54A4E5AB66124F690E904BA62BCBD00A81850823A53DB434042792E8FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:45.638{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50511-false10.0.1.12-8000- 23542300x800000000000000083563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:49.816{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8609D7805A8AB15FE7825D52FEE56089,SHA256=D8E315E444636DE0E671B19B005F7F48E0664B12486996912A44A38F41BF38BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.795{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0165AA5BC51260AE0CEE610000F1C3,SHA256=C10D4A65AD8C4A8B079F9F7818723CC6E59141A282189D7BB90F7407863F5C5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:46.603{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55987-false10.0.1.12-8000- 23542300x800000000000000083564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:50.956{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6FC1A380B1F554FE1DF17F49774DE0,SHA256=20845250B4F286B28FD5B6C8FCFA53EB36C09631AFB79FD26DD3DB25D716FD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B69BE4D8E31A9E73FBAA6204C003D0E,SHA256=4FBA27469B112BAF7F355FD8C1D54D19702A68736C12B3F8C5DA20BA715AE4D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.967{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.295{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.013{8D4DD44E-CE55-616F-8702-000000000502}46642172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:51.972{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1348D85EB6AB5AA56E03B93923BC9BAE,SHA256=9FFC297CFB57F991C9D055DC70C32923B279CB7C7E04558FBB1CF28C4A33A106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.982{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E9C990E01C3ED134F6F4CFA29C9EC8,SHA256=5C13652D6CFEC70FF25DFDA79A0A9B04D0DA42B23743804AC1D7FAD2C59AE289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.966{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D2FA54E42B5A6951369E032E02CBCA,SHA256=C21DB86582254825F2284697A9F211C4C9E623568083E1B4C5908025F5867385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D2FA54E42B5A6951369E032E02CBCA,SHA256=C21DB86582254825F2284697A9F211C4C9E623568083E1B4C5908025F5867385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539E8D49D0B95254F9C33A14ABB9F54B,SHA256=B0DDA5D64B2F3A9C7F99E49E1F9A6934D590570E37DC0767C9E9873A5A49DFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:52.988{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBE51F1370DA34B25E8C6964D6A563C,SHA256=784324C51FE1941739A54EB0C0AF3B6A30D3541E544CB7C1E5B820DF0FDF6C29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.983{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.416{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55988-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.416{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55988-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000083567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:50.685{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50512-false10.0.1.12-8000- 10341000x8000000000000000102261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.825{8D4DD44E-CE59-616F-8B02-000000000502}1552332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.169{8D4DD44E-CE58-616F-8A02-000000000502}19325028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.014{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5387DB01E17AF4031B86B23A5E86C78,SHA256=E76A79985F748A90FF83A6242A772B15D2293B02985AE794E8F089F6BCB09934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.697{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55989-false10.0.1.12-8000- 10341000x8000000000000000102277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.466{8D4DD44E-CE5A-616F-8C02-000000000502}26604740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.326{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=410BF2B034A9C5DAB9FB8B05A7E3FB18,SHA256=B21D1534F6781665EC9DBF3C7E65EF06BCBD1DA7AB542ABBFD1C0FCF663E9D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.044{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6663EA88575027D6B72717F152476A5B,SHA256=81305189BB3B5D79DF0A581697C9E0F58EBBEAFC37BB34AA5DE7CFFD22C931A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:54.003{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58EC3A3CF7964D42D736E8127D567EF,SHA256=C48ED2F8822984E6B219A73B0399B10B33702105264760EE838D27FB308177BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:55.019{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA197FD4F4304997C3F8E282B10119B2,SHA256=C7E902B15C0A45F8A04F140B1B8F9FD3F38BFEEE46A393305DEAD9A6B9A7F09A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.561{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0542AD7128CBD608F36DFA52CB67CD7,SHA256=238373E36C8A2691DFE907617593653F6CF0B6C94C348EB588285A9270A1790E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.107{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E52E718E4998FD331FE1D334320796,SHA256=B67D5058D2722B8AC525CFB917775724AB10560D0D7CECEAF0FB58813FF7F24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:56.024{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3856AC24DAAD845159586F95BCD4D82,SHA256=F38BC2D3D6639AF98DBA9EC61BD60FCF167C73F524F89820C094B907A93470DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:56.799{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C208D75DD9647E30DE720DAEA1731D6,SHA256=08FE9C29E1C6824D6D01FD2788C830A7162E447A0D6CBBF61360FCF2D049855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:56.158{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D7C6D62A1E6CA46A820EC0D7627A2E,SHA256=5621EA99CBAC2B030838AA8D3EA6E4FB39D48FA2EA1EAC3E8EC43137CA4CE5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:57.040{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1EAE82A62A00609947ACB01D7FACD,SHA256=5086C29BC943094BDCF0FCFD735FA89EBE8DDAF7CDE029618A16F007E79C3713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:57.174{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE97949430A9A9A610D6E4907A29B5,SHA256=A1EEF709550A4049B71DA142CAFA7ACB3DA193EC33174BEF2DB59803911BB48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:58.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5868DFD5A23130EF8E7472D900DF6B1,SHA256=A9BAE50DD24E38292510B2B14758F4C5D45DEE2D5E44D2588B63BDAAAD495916,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:55.721{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50513-false10.0.1.12-8000- 23542300x800000000000000083572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:58.055{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BA2A09AD1D056EDA39EC6FADB5AC76,SHA256=C348E2E769A508043B8C8B00A173A838578311B430C8C88CBC256D6D112DC432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:57.531{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55990-false10.0.1.12-8000- 23542300x8000000000000000102298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:59.346{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295414E12DD116DC285DD7C48B6D797D,SHA256=49D641EAC2CBF0A76E66EB97C8CD5BBEA5EAD5508AC518453DBCADD2DB90C90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:59.949{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-062MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:59.071{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EC13511F6C499EB40E3355A708D103,SHA256=D8EFD27F204C2799ABB7C40E2A95B4552194C85647A6C118B5A42BEC785C2E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:00.964{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:00.072{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59974489F116C58082CD0FAFCE4300CA,SHA256=D690BD292CF29E6251DDBCF6500CDF297D8AC872CA48067926AAC5AE7658FDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:00.393{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9316462B422A12141FBCB453A0E93E44,SHA256=FB823FD95D1D7AC1F8C64766E27245312CAC945BB2B714D4FA84FE0E19E7472E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:01.086{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158C69001AA1A4F5ED4C68B485BF32D,SHA256=FBC551CD75F9B7CCB2687E4840A0EDC3CFA9445BC6F44F58DBE1C97983DC58DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:01.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DD54C660C51EBE675867E24CAB6A78,SHA256=3B3889B47D6C83BC28BB723E469C3E4A9566AF5B3A0334970EC8A0B104755296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:02.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950009B2DE2E6F439BB3239B5C097B8C,SHA256=A8653292470780646E9700C4F81E9726BF1F9FAF203CED3F062C7B4E6FA9C3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:02.089{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F561B2B6B5CFC90DD77DD44CD15209,SHA256=4E42B0214F7F830CFA65E0200F762524757C3555D1BFA8E5D0C3666212C63D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:03.471{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24385DDDFC4634454F0AC2C500364B52,SHA256=66F45040053D2941C4918FF12F6EEBAF362A5E40D2FD4FF29D65829F0EAA7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:03.104{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8092FDA4A103DC3D1BC74C6F5503064,SHA256=F9A50C2869BEE125704F9746F24908C3E60A26488A174F5D1800BBD2A60850B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:01.676{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50514-false10.0.1.12-8000- 23542300x800000000000000083581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:04.120{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB3877A93379B03A41121621DE7E98B,SHA256=B3BB220F040F50E29B8BC864BC097CFC2B8B9DFF958E32232D97DD8E4BBBFBF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:02.656{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55991-false10.0.1.12-8000- 23542300x8000000000000000102304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:04.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008861B32F647E37006BBAD8FC9F4323,SHA256=43FBF96541F80C0CDBFB42D117416829255870CD60C59FE8049A8D055414E3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:05.136{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE15CD2A628FBA6391C4B44AF2B1A73,SHA256=2D7B97DF3A908E65CF66359F12780FB3147DAA76A4CBF625B6122B4EB8C76B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:05.502{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034FED3B20B1F7874FCABCB8031D5983,SHA256=556E8A37E45DBE3B2F84EE41166C546D6EA0A85474E9096CA96E70DFE2AB7F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:06.518{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825202F7730F67D3BA306E5EF95F786C,SHA256=5A82192FBABEA89751BD58BC92A96BC53D46D3AE8DA36D7A89406EF915AC56B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:06.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67519A53AF11615A3374EC590C3D76E,SHA256=91D5D3D70823E6E17AB7CF6E8414DEBDE3593D558E700A25B2A4990A08976EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:07.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86477C39E75EF71202F327CECAD3368F,SHA256=90E247122134CC330501A0A3C32D2782B98DF91A68607AD39DE3723721B39AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:07.167{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3191AF859BAA2731A42EBC4EEB700B5F,SHA256=167EBA6CDC2A4FA9E9D0E2751B7D441FA0A76121D1550890708056352980AD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:08.182{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC300DAE80D154A0C0101AA85EA8FAF,SHA256=BEF858911814B46120178B860F7555004FAD9AAA2A7D07589A3788EE6E1E01A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40451548950A4A25CBAE648F0493562E,SHA256=A8995D68AF3EEDB2EA57CD9B214676BDEF480E3A3EE6A143AC768DCB2B3E0801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.510{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.198{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04031BE41FFB1B892C6345C7C614A3B3,SHA256=D8541CCAF96EABC48856FB4D2AAAB5D044C82F1910BE73C294F3ADC59C558067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:09.534{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA950C838F7CB287210A1998979E19DC,SHA256=1C428E4E5DA9F08F4685A03F954D2C16A3830E047CEF4BF89C0CBC3A9EDA0D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:10.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428A512A39B1F82F8C0093956756031A,SHA256=F0196DBFDBA7C2FD2773FAA0B88AF12EAB87B5754EB1063A08A2EE89D601E1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:10.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2D4C3611983F2EBE1B78F9C555534F,SHA256=633C6DD66B3CA46F25D107FCE45728C67A0CEF287C28DA6283B3A1C819B0FE4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:07.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50515-false10.0.1.12-8000- 354300x8000000000000000102313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.515{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55992-false10.0.1.12-8000- 354300x8000000000000000102312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.144{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-185.attackrange.local138netbios-dgm 354300x8000000000000000102311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.144{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000102315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:11.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B822987ED38C3D3D4F8EAB88AABC5D1,SHA256=AA105A47B6341B4C8E8F53DE6EBD19287B08455EE22D14125E95C928305AE1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:11.229{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDE6207F25D596FED3B1EEDB4BB24BC,SHA256=521ADAD74590A5C8FDC672ABD8B4813DF7740F0CFE5E94C727B73C93E47EC6E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.051{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50516-false10.0.1.12-8089- 23542300x800000000000000083593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:12.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C311041D95F16610F4F5655865D09760,SHA256=1A76C0759EE70842E484F3F9D959598D802F1CBEB9446F8BCF63BAAC752B4D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:12.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4860F5058439EC016EF7DAD7EB2FCF53,SHA256=474D6B3F78AC7DEAC244E014AE8B9CA5DC156F48DFDA496A0A5FF21B5B13BCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:13.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BB53BEC2922BE737954A93474F162A,SHA256=E960E9C30D8B7DA175B64C24D814117D71855611EBFCDFB91CE90D8FE95C1F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:13.565{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802BFA2AB9A3D397DE25B54913FD028,SHA256=10393282964BB5320484D599D7FDF473AC9128C259626205AEAE8B55471534EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.582{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6A3483FB28860EDAF99A585D2AA5A7,SHA256=A261ECB3AB875FCE48689A0AD4AA6C43A808253F3C0AF7E87A74EBCE537696B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:14.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE1737095C1968F183995A3DC2D20B,SHA256=A9F03CE9459EF35D3A58603E5F28DBA97FFF10476847F6EA81310625ED210D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.507{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-062MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:15.595{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCAF0146FAFC8BE2CD8FCCF6DEEC263,SHA256=D57D08FCA5CF8F0AF8DACB5D0799403A8DF230B080A65B3B9CCEA41BE767D466,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:15.595{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c589-0xa25db7ac) 23542300x800000000000000083596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:15.276{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5863550AA33B77CC3407D361B286AB,SHA256=24CB08D3BECC68BF394C0DECDA66D88BE370D2AEE5A0F658C3CFAD2E93CFDB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:15.505{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:13.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50517-false10.0.1.12-8000- 23542300x800000000000000083597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:16.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1C1D26BC37086F03B52EAFDA99FDEC,SHA256=6014D37C59FA6116579FDCA96B84E63EF81169909D5DA6E15E2D02AAB4AAFFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.486{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55993-false10.0.1.12-8000- 23542300x8000000000000000102323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:16.595{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D36ADA3931E5E9B6141609E42173779,SHA256=EA2FF400CDD1648BAF2C26B6E26CFC907127F3C05EFB48CD8AB019ECC77550C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:17.302{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386D60406165E548BB9E3A9A75E3B9A7,SHA256=22C6BA7B17EC0C845E7730457B3CB0FE20C0E4E3F48912A1B07F655C7FFD29A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:17.596{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF48A7080A3BB56A1BF9EC0037DB8C1,SHA256=5BD5AEBFDFDF4E7741AD8DBA3C5DF7213B744C6F2ECC263243C48E151C7EF116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:18.627{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C65B9D320BA911D2F08C2C75B0D84BD,SHA256=36341D2805D17954220BA39C6EDD76E62CD1E0F01A245B84BE0056C9D4DF1F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:18.318{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA72EDF87A0584597965E0FCC777269A,SHA256=9A88DE07C68A1479E9AB42D51FCE281772356405A2B274A101151F396DCE337F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:19.736{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11D2D172EE21749B010890B9CD18E2D,SHA256=B1F4A3770884699304144EA868D135AE7B9D6A661DC97DFD97DCC8689EFBDD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:19.333{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05650893CCFF60A68B12D938C9593B0,SHA256=59A2B6AD7611FA07B1983493BA3AA2BC506257269D624E8864772A3311B7E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:20.783{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58D847276795003FE92182693968F21,SHA256=BE0674E7089BBB0E86599A29C72E52A87699D558470FCEF22CE6B45715315BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:20.349{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296A19C5865210613584F86AA7FDB1DF,SHA256=4EAB68415661AA5BCF0F37608A3E3AFB0E4E6C9FFDD2602E13860CDF4AB19A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:19.671{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50518-false10.0.1.12-8000- 23542300x800000000000000083603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:21.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90217759CD8C556B4F9E120F3D08668,SHA256=413FC7E7CE5E0349EC2D84AA82DC41A71AD77CC6F011D09D86730437A7AB0112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:21.799{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF4EAADB4181B4C0FCB7F62D40E8104,SHA256=D23B886A05AED15481F8BF97A5497CD5E31C1B3C47D7002469CBCEC17B4BC09A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:19.609{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55994-false10.0.1.12-8000- 23542300x8000000000000000102330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:22.814{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB737B648774CBE88796F833924857C,SHA256=7EF3283C88084097E4504082074BDB267C37920424113B3FCCED1A3FD7D66B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:22.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86CBA975BA5642F08E784CC27D22FDF,SHA256=0C8F2D3F3A8AB8266DC0910DCBF6CA44E689C27E99C2BFD2B571040BBDDBB78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:23.845{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27367ABA0277EB2A81DB9AD46030CAA,SHA256=EE6BD08ECC2CFE5173311C0EFAD411B2969024E4BC58E011A8691D5043986538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:23.380{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EB3B5DDBD61DB3CBC0FDA974A86431,SHA256=D9985041D09FD3E85F33C5C1D1F531170BE38A9079F33442F0EE8783E9DBCE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:23.067{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FE0602D19E954A218AFB6C3298940DC3,SHA256=4E122A3A47EB4AA8ED7E945E97E78D790CF9494B60D96F0DB82DC6E00440EA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:24.846{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1B7D8D1D577B2CA2CD056B61EC4AC7,SHA256=41EBE274194D77B128F5C7BDD4CAF68725A64120088C912368FE8B51A834F836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:24.395{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD654091E322AD717BD608F58D21A2E3,SHA256=E16442739A1271799432362739685B3C1B6F1EA2C4B04CE63B03578F6EB304E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.861{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862AF87679FF3D64C608DBA9B02662F3,SHA256=1EF6DF9778B09688B10BD25A5E4C765BE729992F2AAE7B958DC15E1106388CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:25.397{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3B13C4B4A63C2C6351EAF0AF6203B7,SHA256=8014644C17AAC074589507D427D85A6723893D6C07DECB5C8230C1673EA2A5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.127{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.111{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACEAB1F6AFBE67ADD1CD161FFE796E5B,SHA256=78351E825EC1D5A0CE9006DCDC208372A74765AA65E45D74AA93B23A9AC73892,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000083618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c2b80) 13241300x800000000000000083616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x45cc8f17) 13241300x800000000000000083615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa790f717) 13241300x800000000000000083614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x09555f17) 13241300x800000000000000083613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c2b80) 13241300x800000000000000083611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x45cc8f17) 13241300x800000000000000083610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa790f717) 13241300x800000000000000083609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x09555f17) 23542300x8000000000000000102348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:26.908{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74BCDCF7B4A493336F971B243EC6105,SHA256=02080A414420459BCE244460A5561089CCA3518BB4998CDE6981698CE729E5FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:24.593{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55995-false10.0.1.12-8089- 23542300x800000000000000083620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:26.412{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C127AA044DFB1E6174A5C392AF2322F,SHA256=F388CB31D21DB5C39CB08ACC28F9D5890CA14E19CCB5634A14424F6619B91194,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c43ac) 13241300x8000000000000000102344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x46a3f653) 13241300x8000000000000000102343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa8685e53) 13241300x8000000000000000102342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x0a2cc653) 13241300x8000000000000000102341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c43ac) 13241300x8000000000000000102339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x46a3f653) 13241300x8000000000000000102338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa8685e53) 13241300x8000000000000000102337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x0a2cc653) 23542300x8000000000000000102350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:27.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E3441E8888CAC907910BDB44D79F5A,SHA256=993B897AECB5C9590A4172E46EA0BBC49EFE311A0D5B2FC9DD3BB763BDB68FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:27.428{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820190C255961D6FC715ADD4052D6CCC,SHA256=4CC6D9F9280DAA5A2B3B1731E783145E564534C6881F86EDDE68873C5695FDD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.562{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55996-false10.0.1.12-8000- 23542300x8000000000000000102351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:28.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899978FB6621C734C323087641FD6FBF,SHA256=E4EB93766C7ADF6F009539484937C07DAB04E77CFDD318B7555D7CCB516CE306,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:25.656{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50519-false10.0.1.12-8000- 23542300x800000000000000083622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:28.444{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3322D807D5516DF510865FC914BFD885,SHA256=F7A7F26E8787B1D74B975D4E1CB04A3C15C5D46AF0C258CD833D43445E6D5710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:29.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6F72F5B573FEDB1F8D2E8E07517F7B,SHA256=96A12DE115AA294E798F6D4359B954CE8DE8C80B9DEBB18D1DB20A971EF4C4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:29.459{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F405DAA911C21E2CCE7EF71A2A4EA930,SHA256=BE67B83A1A973785F462E4A1681202E100A36B99086EAC6A5AD4EFF218B28871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:30.955{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AB6AB86F1F2A117AA8FF8F1F2736B5,SHA256=76AE08D6FCED7D6AA468986F77D4EDCC198ED11E01F0965489A9A5E9329BF46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:30.475{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6D545A56FB33FD39C290BED54FAD38,SHA256=6B311A7787C9B6DEE7AC2BC8E209ECF1054933E4E3C29220FD9C07376E5F2CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:31.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABAE1AA8EFFDC3118C0D60ECD4C0B56,SHA256=446E892CF8EED009C863C4BBD2B7CA2D99B5F198F3DDEFC874A45BD07CB6F87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:32.506{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30B4ABAB747FE5D6D2CD39897045FD4,SHA256=55786275D124795A52168DF72CDE05D269DD0836E1CBB8927BDB973633205FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:32.142{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38499B2BC79CDFF025F4B5C3F48EA60F,SHA256=98134B0D3B5C9821DA8438260C6A655FDF2EE659BB9931B494E5CE701C5B726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.522{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0906C107DA5EE4DE37989B8833B32054,SHA256=6D07A12A92FDB3D31235B289739F680A8A9A0F6FDF29A7A871B9CC67E6E6F8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:33.252{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F2E6B2807D22323F591535A578EDC5,SHA256=02E280DC2A01CA72245B78A72CCD4896AF7E21D3FFB3F3E6420F4802D08F83D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:31.625{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50520-false10.0.1.12-8000- 10341000x800000000000000083640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.366{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:30.672{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55997-false10.0.1.12-8000- 10341000x800000000000000083658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.600{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D32BCF6A0916937F6FE61824A018BCF,SHA256=981A850C28B98C853176AA46DF5D1BC5A4120C3668027E01285E93792E4E3B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:34.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88E011A9F008C691D9A4A81355B1B0C,SHA256=079B706E414784B1C2CB35939E7608F728E2DBD3FE21F918B9442D124E785250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399E75FB303E09823DCE6B3F01B560A8,SHA256=7E9A24B6E10A67CF1291D0B22FBD8C85834EF1FC38D67FB5B8B5A586850ECE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED887438C2C8081D3990EBD9F20EAA0,SHA256=BC9F9147E5BE87912C686EA571D1555E5B7D3019C83C2084F32EE3BCD09A24FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:35.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309D13034D4BB66CBE9134B5EA027D91,SHA256=EB5003AB866B998322AB539A8BD5EAD9FD7AA42AE154D6CDD93C74BC407F6632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.226{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.006{6F8252D3-CE82-616F-5F02-000000000602}37481312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:36.332{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5215A21767C358E255ECA69CCE913E3,SHA256=89B1367DCBFF3B962D2A17EAC135292272139499F6F5D6519C547E6C04353E27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.949{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399E75FB303E09823DCE6B3F01B560A8,SHA256=7E9A24B6E10A67CF1291D0B22FBD8C85834EF1FC38D67FB5B8B5A586850ECE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7FA7DFA42DB4DA5EFEA63DC4744A7F,SHA256=66F87E952B2DEA40426E6815E9AB383F8690CF425B6BCF73040C2B0EC1528F13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.745{6F8252D3-CE85-616F-6202-000000000602}7241144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B5911BD5CD283D4FADA1794216C8B,SHA256=1B817FDB54CC15589F885B8B1104A5A4DBC9BD1534AA1A8EA918C30BE84716E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:37.348{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7FA12CB7AB0FE2CD53D6B79060CA36,SHA256=647E7087647315E5AE4EB31D1019F45F3DD663C1657BFE9A6DFE1BF4B1D21937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.120{6F8252D3-CE84-616F-6102-000000000602}2932912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:38.348{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A76D92C5EF16251F332236C8B6B93B,SHA256=98CCFB7F1A6F00589B738DABB653FE1A070A7DA88A059E59461632C208DAFA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92BD4E75EEFA8D8FB1FF2B061E9C7A7,SHA256=328C5628989A229B201F988F692597B212040169A5FCA3C81D60E78523A38D13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.327{6F8252D3-CE86-616F-6302-000000000602}10322940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.042{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=759F0CED3BC28C3F516A94141134A303,SHA256=FF0EC3BA93052BB499F72084B70BADE6E7E81D7187D18BD2DE0337AF5DF12A62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.605{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.479{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296E41294303D483B6B1504157473A00,SHA256=8011320B3E4B9532431A05E7E726B808C3615FD2CD2C20AA5E42CC295013E77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:39.566{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9570B7ED768ED027B58BE91715A4160,SHA256=9E6D4F0F41B8BD4BC4710602740B7A600999634239D6138254685D9C4A765E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:36.596{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55998-false10.0.1.12-8000- 23542300x800000000000000083721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE55DB4C851223AF83CE3AA18711BF1,SHA256=43AFEAB8F95A4965A6912CAB422BCAC4DF743EECAE7B211401F5E541BD98CFB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.786{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50521-false10.0.1.12-8000- 23542300x800000000000000083737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:40.620{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B07ADA8E12A0519BAB8BB5FC8719F7,SHA256=60D9F14B29565FA7BB56BB6ED9AAF1D5A2D463601070FD41DAE90384F732D673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:40.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B81A1ACD97D95179528F7C3C878BAB,SHA256=11B76D44457F6994D65EA2A172AD502F8D38F0BED9F1F4100035E733AD9F2095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:40.583{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD83305A043EEAC898910DBA183DC05D,SHA256=C99222A6864D19C5AAF3668E59345CAB8E7175AB0B101DB2FB781F17A28147F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:41.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BF6F727A9F53A63FA98483BDECB0B3,SHA256=978DE52874105B9AF43A77217BBBD0A905172A365144EF0F96A9F9E83F7E6CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:41.584{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECB34BD8A3484BB78BEE1C7742684B2,SHA256=2EF6EB9E105D93891673420634E7E50149E02AC40FD3B879BA7BE85838573BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:42.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C62F691520A1145A6C4052D47D3B5B,SHA256=7CABC09A8C333A34475704F0023166B1AD6F8EF0C8EDCACD54F44E2DD2EA5328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:42.510{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59FD1257E8257CA8E542612E1048924,SHA256=5B218F4C7E3C8C71943C8017E88E8263F429719EC45E3B56C1361B1EA2948884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:43.526{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C4A0D3E8DF8198371A748C4BA20AFF,SHA256=658F5A0F25730282F74683A958960FC11956D9796D547871AA3C0A9DFC2EE107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:43.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F3CB7A578D09AF238447FBE31EF5BF,SHA256=15ADA5081C68E3E96DBF7D7C97B9712C5636B98E4E8B53304D6BFE41271E0C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:44.541{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A8FCC5080176C39D2D82FCB07C3E8F,SHA256=3FED87ABF3E76D35CD0D5CA17317CA9DF2C34759723AFC52AF0B66AF11262B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:44.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C586C6B0FAB3CB7A1E5F4FE98643A97,SHA256=4B702878E45F02E7A12B7EDC959963B9C55B9B6D6C3C7F1B76A224257631FFBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:42.723{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50522-false10.0.1.12-8000- 354300x8000000000000000102368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:42.550{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55999-false10.0.1.12-8000- 23542300x800000000000000083743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:45.557{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36F5343F1B57D68354BCFFCACCDDAC2,SHA256=CE856076D8DD54758FFA281BEEBCC31EAD00E6DAD61904A8773F2F491826EE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:45.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0EE67DE951BB8A9AA31EC3A53B13EF,SHA256=0FD85E6CEDAC2FE4596A8164237B48F6E300ABC2CF889E99660342882B0E8BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:46.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08315691B3ABD2F2C0C7B81B0A6D12C4,SHA256=C2E9C02093118C893CA9E2747C9B91B85CEFECD2B583CFC2950A825DFC43C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:46.573{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B8C4F1B0221114A471DDC2E43E3EFC,SHA256=3DAF989AAEA77AB4F9FE3CAF9133CE68D3606128A3E0A6D7A8EB2C08AD333AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:47.588{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261B6BF952B825E440008C2277A241D6,SHA256=D47947E48547D240A3B620CBF0ED86B04699DAED08084B739C5301BCC6D1CA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:47.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DDE114C00FD476A2B2A94201375B7,SHA256=FFE172252E8994F31164E649FE40D103D0702CD797DC2AF7EDDD6D7B64BDCB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:48.604{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB5CA7BCE57BB9AE3704EBB780C9482,SHA256=96B8F42BE962F88F8BCC8C662C262C334E4BF8213BE4B1CAB0270B8678C9C6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:48.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A501FB3DDE96A3EB020D4DEABB02C39,SHA256=F83F57FC758F60D08CB18434082EFE879F4705201A5853E759154F76FCA58BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:49.729{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEE3EA3B8C4BC4F0A7DF9EA940BAF25,SHA256=10DB0D1A575088AE08CB611FC7A381C0713AF9FC94B041CCBE8F2A43D30E73DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.803{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E2C90347E0273F0EAC94487936933,SHA256=F8939018E542141940E9B33E52E45901B9B3D8F2928427A259D5D9EFFDAC7C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:50.744{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008CE9C82A7530123633E9754F7EB761,SHA256=DF0635057D21D450923879BCE6397DC12FE705F9DC760A2B1782CBF0EF3C8D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.975{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:47.707{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56000-false10.0.1.12-8000- 10341000x8000000000000000102401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.303{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.021{8D4DD44E-CE91-616F-8E02-000000000502}46844852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C5BCE7FF4B843433103846BCA2949F,SHA256=0A10CB6F223014207EF2BE1A2E18055B775BAB4D7EEA04A451D530C82A417B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.880{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211066CA9CA0CA030B7EA1FF9D854022,SHA256=FC4AF0F5E7035E1AC9A8EB4E4E4D715780EC701C66BE78032157FDA445CAC90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:48.738{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50523-false10.0.1.12-8000- 23542300x800000000000000083749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:51.760{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1B80B46D4296A643955FD501A1E5F4,SHA256=22A2038CEB2ED5B42215DA6E029698F594934F0157EEA904FADB2B9D078492D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C5BCE7FF4B843433103846BCA2949F,SHA256=0A10CB6F223014207EF2BE1A2E18055B775BAB4D7EEA04A451D530C82A417B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E385D941C0495C98F4D4D7ED9892B7B,SHA256=77FC0054D233067E45372D74BC4BB5A48C914EDDD64817B9204779716D6F6336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2284468DEA81860A576BC1578942F9C5,SHA256=BDF0FB1757A0FC79FE290ED2920D9D9655D6CCD3B1E6932F483C6FCAC57C035D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.975{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.943{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9207A9E99C34F6CD8D60F5345A260E85,SHA256=19DE16E597C81846A6710421182B7AAE2A24CE7A7AEE87134D65F841827AAE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:52.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DE8A35E4EBF8E5363D5F2A8BA22026,SHA256=AB88C3828D755402FAAE87D06A50C81962C98CF4DE9945D88AE13EFDDEDDB8B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.426{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56001-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.426{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56001-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000083752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:53.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2880D9EFA2DDB9C6D08ABA0D05270086,SHA256=6D69FE12E9DCFAE0B17BCE7EAAF44051FDBFFE918358E836D62AC0C425081357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.974{8D4DD44E-CE95-616F-9202-000000000502}47965008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E89050291105ED2374EF837C0C3F90,SHA256=E45324949ADF84D188726E6A46A862465FB445949102F880BCA8DB61C433A448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.647{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.177{8D4DD44E-CE94-616F-9102-000000000502}50881924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:54.900{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB6D64749BF2BB4F330E45C5E875DCE,SHA256=EE818B3DFBD6274A33F514CA926725FB6783AF8887B30EBB93AE2C27B476D7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDCFEB2739904FB34E70F490BAC3A81,SHA256=8AB04B4C7B95290DED6A073ACFCABAEB375FABFB7FFA172DFDF395A7F20B4A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.443{8D4DD44E-CE96-616F-9302-000000000502}50922436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.443{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD73694E4B878E777C9AFC07A78AE5A0,SHA256=5BFF3FFCDBA34587FB6D14ED61508BE6254265B4B896B4AA3F7B5FF6371E142E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.147{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:55.936{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6A6972FC33F91B08F937CC2E2D9139,SHA256=93ECF86497C063A117EFF82962FB640C5BEE3C49998D202DCDBA60D62C439153,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.613{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56002-false10.0.1.12-8000- 10341000x8000000000000000102482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.162{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC0BEC948B0B01F8165CAEEAC19EC5C,SHA256=69702AA27AF4053D112E45E81199A0B6C65BEA9197FF8DFE3C34611F1791D6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:56.951{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70AF9D535619AE96E06B04E6D3B13BD,SHA256=998CEED1AD3ABF6514C90DA8E7A9BBDEDA80A417BD6E8D3758AB53E2333C0685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:56.773{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9CBA7752795EECBCC78D1BB8F932280,SHA256=6F40AE11BD798AB1ED8E0C5A4B23508E0F31EB523F986D3A54B2EDBA0398CE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:56.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423C926B39C29CF6D0F1742196414819,SHA256=F13046ABE718F9F887BCA5ED912E60E0776AAB3E24AD2767830375E7E70243F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:54.723{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50524-false10.0.1.12-8000- 23542300x8000000000000000102486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:57.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A98524115908E01C2230B8A7DE3C9E,SHA256=F9BDB4B2D662462889BA3981FCFF6DFE16C293374A5B5F7E18D91B9F269E753C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:58.030{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080AEA1F1FF442059E07FC74CF284AD3,SHA256=F1378B8A05BF348F072F9AA860412B8E2C09CDB197AB745ACE3C42FBA773C997,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000102489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x8000000000000000102488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 23542300x8000000000000000102487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4774C3B3A487FE3F41BCF4DADCAC7A,SHA256=D20E79E2356BA680631292F66DABC04DE315FFE84230D1B4B14190ECF9DCBE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:59.264{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E0717E0DDE23DC7720E94A6965471D,SHA256=B35965DD2755876BC939EE9BF94B713AA257B2C6A10B2F807C9C30923A1837ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:59.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BB6B1268D552A2119C25BB6DF762AF,SHA256=48B2EA2AA93556D50D869DF2BB15F9C48C018B8264C77DDAE637666DFC63A33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:00.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364ECB73065B302B2E3662BFFC810D85,SHA256=3AFA38E1247CC5C798A04BCDA8B91C6051221C3C2C9ACD677092A05EB4D55129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.482{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56005-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.482{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56005-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.475{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.475{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.461{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x8000000000000000102494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.461{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x8000000000000000102493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:00.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1F7D6337B973490A98A0108E628670,SHA256=1B6EC46234F3386AB8F9EA684BCB571822FC69C174034431B0E6C7E07E3B1029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:00.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FADC340855B0353764841BC47CACB47,SHA256=1E850F8F78EECDA195DC2D82955308F45BF64A7AD051E065D416684C11721CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:01.486{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-063MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:01.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D7EBC8DFDEA28C009B19126BFC6ECB,SHA256=33B38D714767D577EBDE9245A515DB9C6FA4C3E8D13BDE57CC5C8067180360B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:01.070{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704D6B6349A92B3A59523F3EF45FFFE4,SHA256=A782CDAFCBBBC581DBECB73B88FA892397D30A51CCC76213FAFDDC9C4AFD2DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:02.485{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DAA2EAF0273958484BE05A14F21468,SHA256=CB6C01501E28A215239CD54D6224C120B1D81B4F95E0F7E10265E528EB580659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:02.484{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:02.149{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8929E96CE1B8DC64FA364EB588F92C,SHA256=A8EBB283AFED84CF50C83BFD630D76B6994AC930A56B9BC1092B0C15CF5239C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:03.656{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C512ECCBFD837E3A32E5E35C1728D555,SHA256=B32A6FD09816B54FCCC188D1E2020FCFF022C4F5F1F5992644B4C337CCE71103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:03.320{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18B0DA6FB9EEF2D3E3AFB1DB3E495A3,SHA256=E015FCE50159B0BFF39EF692A7DD9B641E714A2E6BE294CEC6A6CFAA80975D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:00.711{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50525-false10.0.1.12-8000- 354300x8000000000000000102502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:59.569{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56006-false10.0.1.12-8000- 23542300x800000000000000083766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:04.781{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BAA10520358156669CD597C7698BAB,SHA256=DA80B68E2F716D6F8195E6559C5FA5101F22C9A51584981E100AB24E6E892522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:04.336{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899D27D5B18D0B9350092767524FE4A0,SHA256=926C5ACC0B84410123711C8A21D1D0FD74A00C34C9AFAB1CFB601F958FE8E234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:05.812{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B1EA6A4E6021E90A630A811D70F023,SHA256=AA3927760F7BABF6ADCB9C20F63AEC3C36052DADB94485C9F55D8F703B4D0ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:05.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C15DC73E5FC29BF7F259A79B4C4F1D,SHA256=899C36CDC4980A8030320E6CF90B029B3AA1BF22C519EEF09E5EA64A341D3314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:06.813{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5F293DA04AD8C8AD248ACD422A13A,SHA256=2A3AE20A0908E6425DC08FCD50C4AA4503A3B2FA15AE3E4EACBCF6C159922AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:06.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EE1A478C352229E6B2F5D03FD42EFA,SHA256=F23BA7130CC47FE5AE25B40B70E7CD31B2DCB1FDC55C2E8DB01DF16109A91D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:07.828{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6C13BA17D3C90445E0447C31C85585,SHA256=62E73051A0088B635F7B6387CB94E4520AE8DD1D617ACA2F81287E0BF6107E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:07.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87CC6544C5ECB0880F0887E60B680DC,SHA256=6B2E0C47958FBD899D2F4741C6A93E8085DB4282D2326951BF361D3F8C7A4EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:08.843{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBBF87861C2A7516EE9BC002915A76C,SHA256=244FC371E68E4590414CACF85A16F3836F4562955C099DAF1FF3AD24EF7F6AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:08.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6400D5A6A8F8542BE435D0C7D92CF5E7,SHA256=F736DA0496D1DAC8CE4284DD6F14DAB3260B6261FCE99BCF3D7B54096EB7F08C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:05.600{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56007-false10.0.1.12-8000- 23542300x800000000000000083773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.843{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5A1374A51778F7B735EE96349C76F7,SHA256=3FEFF2227F00A8C5564A4317C6DFA3974D8A55C7F6F246304049719BC0972746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:09.398{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917258BDFF28406B03B192B6454A1ADF,SHA256=588C2F7E899A3F3BAB0F092E57B2F05505DE981E124D3E2350FAC36B09FB3560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.531{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:06.665{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50526-false10.0.1.12-8000- 23542300x800000000000000083774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:10.890{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B36C6CCF1CDE5914BF9A5E59015F1BB,SHA256=F4C710DDE1CBA66911B151F17B4725F724087E75D6AAF719BEE567E0D91B016E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:10.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A3BACDDB402644752F8C04E58E1D19,SHA256=8D90BB9029549EC46298B4F26EF01451975162503DF41A2F687D7D34AFE7BAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:11.539{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5AAC1D5E93BCFFB60DAC351ED28970,SHA256=5B47B604B2CD7D284A91FCB7AF877DA74E82E8016D4D1BA863C8B1C17EF6B044,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.072{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50527-false10.0.1.12-8089- 23542300x8000000000000000102513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32ECFF04B83581CBE4D56D6B764AAB,SHA256=8A265FD66EF29BBC2FBCA41B9AB7CEB4EC34D9FB33BE04E6ED9990514AB8313B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:12.031{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF29004C6F26540E4281FA7C7934173,SHA256=4BA57334D9F394D6412FC5C623241ADE42DB5B3BC094F6311D8A8C0314AF139C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000102529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47FE4DBEE48595E41F7E03032CDBCC1,SHA256=12D5214FE366BB7C80C6390DD77D95ADAD920A4CB0AAD8F0D3B501EFE37A244A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:13.140{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0EBE4427D52186CFD50883E92FE0B5,SHA256=F80DF602C9A9B00D423134FB9246D2AA5180EDA44CD14DC849E4A20EE9AF9F9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.980{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56009-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.980{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56009-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x8000000000000000102537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:14.601{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAE1CE7D2C6C76DFE43F8A9E60050AF,SHA256=B35B30F5173EFADC18D435C596B068CE3333621742943B5966CBAA959EB03F8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:12.634{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50528-false10.0.1.12-8000- 23542300x800000000000000083778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:14.156{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BDB78C91C47ADC8AE880E8C7278876,SHA256=066183C8FDEDE5A4C55D5F724B2A9E200E0A9A9041AF0E5C33560B73B4C0CCA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:14.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08411E796281862385797BC7CE325C7,SHA256=9284DD05384E27496DC803BDB6A0F73BEF42E25F191A75FA0FE0BB7AC8AA9A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:14.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0223C4267FC0FA0F366A4FA2D3D80210,SHA256=EF158270D905BFF0AFAD43C36BBC4801C12FD5E81AF4B21577CF7E938A241FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:11.522{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56008-false10.0.1.12-8000- 23542300x8000000000000000102544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:15.601{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75B9F280084CCC01CFBB83762D26A1D,SHA256=75ECCC6D78707365F671CCB009CB8D3C7DB4FE731251AD190B4E1BE4C30A04E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:15.203{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687B5F72638D08B02945534C518B7DBB,SHA256=C782F7E1316D84FD7F92B1D2712E5C5E19AF531F1882EB3F41E5661B0825F5AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.094{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56011-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000102542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.094{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56011-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000102541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.988{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local56010-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000102540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.988{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56010-false10.0.1.14win-dc-185.attackrange.local389ldap 23542300x800000000000000083781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:16.233{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8339089BF8DB46C3F19926273678AED9,SHA256=8B6891BA5B1D930EEAB3A2AF6B129A413481FB13BF38A27750D10A37A76C7AAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.027{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-063MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:17.249{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888D4EC6F540BCE9865B40AA3483237C,SHA256=EE645560A2CB96A0177386A6EA9C9879AE41F9C36EF21FEAD3098583140C32A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:17.099{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE20C6534E4482BC80FE0F6C76C87DE8,SHA256=1C2987F2A1AB3ECBB47C56A952AF0D1E895C08B6E15C003061EDE2C3BF9D1274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:17.039{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:18.280{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050BF66C6509468D2614DAEFC912BFCE,SHA256=23CA1A1108C51D08353A1ECA6E6E8791D7818107F5D36EF779AA466335B403E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.614{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56012-false10.0.1.12-8000- 23542300x8000000000000000102577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:18.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A496EABD18633B1C38A3016D79FA86B5,SHA256=A1889544D8390603ACA6091EE6556C8CA03715A36B5C68959993EFC4DE001272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:19.358{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFA9916EE1CD612D4D7AE898CD1F4C1,SHA256=B2B8559609A05AAADD3FC38E8CDD833833B0916543F91D537C7A11E4B2B8A94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:19.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE1A52E54072C151962C22F00AE88AC,SHA256=726713A4B891F91A1A9F149C74EDF931D05660A1AA41C16BB8359889677CC0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:20.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CF3E9F97CE92F53BF81EED4BD608AA,SHA256=D6BAC613FD592AE7B11E6741B1136E39C419221C4043B2DD7F25DD601021120C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:20.274{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F77066773D3044926D8643FBEA192D,SHA256=254901F4A409CAC4CAC119387DBB6604BF6A6B9AD017CE6B55C613A19A153BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:17.821{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50529-false10.0.1.12-8000- 23542300x800000000000000083787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:21.514{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489DCDA32C9181A5713B67361086DCDA,SHA256=FF469AAB5374A62BDC0240A183DB75543BCA943C035EF9C4A3DBD202816DEC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:21.289{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0D1DBF08D01EF1A1BF5B4252163FB2,SHA256=598A173A37B1116E0F29C2BB4CEB74277FE14AF262B55D7EACE655B5811D3A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:22.546{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FFD1707FE750D48FD0DFF1E55DCA21,SHA256=5FD6837E4C1E67C4C7C56F94FCD70DA536D113B91E8A9039B0166BF28E186F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:22.414{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAFF4C5AAD44550188EC587C9EEEA8D,SHA256=6D0E33A934DEBE080B62C8625FA7B393A0CB441070C32166C0AAAD5B2AC4F3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:23.577{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4870ABABD6B060BCC933E3D9F45EF922,SHA256=7A8E2AA90252888EF745F5CA80C271683E888C8A48F352C544FB6381E4EF7AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:23.430{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FEE24C4736BC963205E7501E2EE3B9,SHA256=0054DD54887447886B5C6EF708A54AF453AA2CFFE3D0115F044397664CEF130F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:23.077{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B3C1D43F02B52BC5A97AF0ED7784E1EF,SHA256=8B910ACE5569B19FD9F4EFC892546E86C7015F7AD8A1F1679727D461B4381CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:24.702{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0993B1B342347F22864D3EB2D93050A9,SHA256=2DAA0C8D4533F573CC44F61F927CA9265F250EE021B3D5283A98E53BE74A9B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:21.617{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56013-false10.0.1.12-8000- 23542300x8000000000000000102584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:24.430{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F1DF77DCE039F813A09A9302F2C3C,SHA256=761926201466FAE72113CCB2AEECB1313C59DADF56CBF2707525C899EBAC0951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:25.733{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA03D8368AECF1234DC56988D1928F7,SHA256=3B5C6A549045AAF0B3CFB521B70A018FD96B39E9F8C7D3C2B5809DEFD5183CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14CDEDF2AC930D5FFB02FE1754E5CB3C,SHA256=23498F8E347937D737F39455062135876DE58DD7C6285244A4DC43B1B6DCE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08411E796281862385797BC7CE325C7,SHA256=9284DD05384E27496DC803BDB6A0F73BEF42E25F191A75FA0FE0BB7AC8AA9A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550BFAE857CF0FB3681EF8AF08943237,SHA256=B8A1B3892051DD116C40D5FF2FEFFC89E82FD40EFBD8868EC0FBA1E31813F132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.149{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.118{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=75771923CCE67DFA64A4DA44E2A7FFC0,SHA256=B93C657D78CFE798A65F2C356F8C48FD63D6360E6D100D6A590B3712E83F0FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:26.811{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DA8F97B045D9C76159AE3977D1DF3A,SHA256=85540E476B0A961632E39A13358C4DD4C9945FF201D05B38B975FD06B33B317B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:26.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B22A19AB15C3463C57475A3E95FC54B,SHA256=B6786361C328CA4E99C322510EB975BABFF14B05C79CD03D2B62F24816065AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:23.805{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50530-false10.0.1.12-8000- 23542300x800000000000000083795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:27.827{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37CFB4CD01D7D977D7232B207C773C4,SHA256=6495557F9490C624C848D5B89C9352F6D4829A31F3B7A810F9775FF1B5C7223F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:24.617{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56014-false10.0.1.12-8089- 23542300x8000000000000000102592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:27.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F31454437130E69FAF022377884AA7E,SHA256=374C678B042CE50811D4E44B1FCF859D48CE3A4CACF08958995FF21DCDA2ED87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:28.889{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DF0107116586CF1674F0486ABC795D,SHA256=6EA5156DE5F19BD3BE40E5A86383259977C9D219136425BB1D7871C32EBAA4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:28.680{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3802AE08A4F31A5370A221EC754158,SHA256=B6794B96BB033EAC48AD0FC29C336051DD28273E8EAF1CB49FCCD3AF15438382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:29.952{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C18F34A07316A01941D6C280F10C905,SHA256=67CE720F2F1C44431E1A8F370A6383103BC872F2C68A05265F203C5857339F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:29.743{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBA1E746A38E5E9D1FBE9DC7756CEE4,SHA256=0885BF5B1FAEA19A7A7EF95F4BB8D83D39F11C8DCEDEA59815D444E36CB5B77A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:27.523{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56015-false10.0.1.12-8000- 23542300x8000000000000000102597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:30.758{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448458798BFB729854A1A68C2BB5779F,SHA256=0ECB8917B49696389CBBE9848AE832E9534156C87471AF5A7D7A499F8DA26870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:31.758{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98D83A97D1AFE745D8BF2FA0E6F7C47,SHA256=FF8DFB1A53745733F347FF42FDD29A542D4DDBFF5374718DA1DAB30AB5E049BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:29.758{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50531-false10.0.1.12-8000- 23542300x800000000000000083798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:31.030{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94AF402DC56A5BF263EEC28DD3165CF,SHA256=9ED24369C53B9A827851C32C9942CEB75855E4E76BDCB38077200BE9F16FC4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:32.758{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DE7F48B5485E84B0637B93D9F2F249,SHA256=B5EF2614FED558D51D9F0C3B92BA20D33CA9DB8247A5F366FB30941E34B7BC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:32.045{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DBC813CF3D75E5BF0BA3F19802071A,SHA256=74EA8B027F877F24D354569FBC28D0D301EC589FF766CBFEC95AFAACAC2EB6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:33.774{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55C1F705C3D43896C452197C6272F1D,SHA256=A7B0A534633B58A67175CCD2D7B0551C282E2C400F59EA26806BB65C0A2FCE16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.390{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.077{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F97F12E5D1CB1DF0D30860A3141908B,SHA256=031A996256E86FDE3BC42851895F30CAC4AEB4733CA28285F5DF53B0D5B9919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:34.774{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A60D2551FAB364754B37E01D79EC4B6,SHA256=11E4B5FE0EDC0713FACFE327EE93F08C70918D8B8A47DEE38E49B336DD54DD45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=903228CCA8BDBCFE3DFBC732A8D34EAD,SHA256=E192D60DA503E2320D65F7B1BF2204EB11702E9E7E4EE504463B9580DAEB3179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62ADC85F1C2DEC5F703843F7648F877,SHA256=98AD31D2793C5EDB1B34CFECD8973FA0AA971995C5756B88033709E6803F081F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.139{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4A89E9D1E336186C2B338D0FF47340,SHA256=E349E4C8D0328521B7DB80D583418DD83088A81EFCC00C02EB331F7E0BD4D218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:32.648{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56016-false10.0.1.12-8000- 23542300x8000000000000000102603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:35.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6EDDB5EF8133E717646B6AF1DFCB72,SHA256=E65DFF9D2E826C5A89CC38D3EF7C099515837B25604F9DE17223E348090F3E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083846Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.988{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=903228CCA8BDBCFE3DFBC732A8D34EAD,SHA256=E192D60DA503E2320D65F7B1BF2204EB11702E9E7E4EE504463B9580DAEB3179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083845Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083844Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083843Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083842Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083841Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083840Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.249{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ECCE6AFC9C2B2ED7B0749EF24E1B8B,SHA256=582587C733D47EFCF20183EF25E581C8414AE93B5F2FAD01C644B9206312C952,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.045{6F8252D3-CEBE-616F-6602-000000000602}26124044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:36.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BE0786B8E10E85E418387E19AAF7CE,SHA256=E58DCAD554DD83618F58814B267794FB494CC8578B722A897DDAA82BED1ED873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083860Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083859Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083858Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083857Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083856Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083855Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083854Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083853Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083852Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083851Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083850Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083849Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083848Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.942{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083847Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40242B9A3511E787035DEC52EFFEF066,SHA256=87C438DCEA815E8E76406A6783B037176021340514EC1BA3EDE5612140A3B6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:37.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8E4C6E7C942DBEB508435FE677C301,SHA256=DB12F0FCA55E5B15D0A682C7B40AB21BFFCA3652C5D2C3424F092DFEC42F9075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083876Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.910{6F8252D3-CEC1-616F-6902-000000000602}33762600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083875Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083874Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083873Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083872Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083871Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083870Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083869Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083868Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083867Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083866Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083865Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083864Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083863Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.614{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083862Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.223{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFE26CFEDB9DFF0B875C0597E499735,SHA256=147941A13FC7637D82A406DB5D8B66D1EA4221C38D35A4105CB65DB411EAF1B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083861Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.129{6F8252D3-CEC0-616F-6802-000000000602}6363132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:38.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4C9A177CAE1AA43CB8B8B05F6831CA,SHA256=2303E40FD00766B937820BFE8B7E0C0E85989A3801870943069C1944148B50C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083893Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.519{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987FC58F19E4AF6BA73C149E28DCF356,SHA256=E316301666976321B55AC81CC884EFA9465D6F1655CCF9CAF06A201D27E1EFE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083892Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.316{6F8252D3-CEC2-616F-6A02-000000000602}34881692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083891Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.748{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50532-false10.0.1.12-8000- 23542300x800000000000000083890Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.144{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2C3A1AD2E8C37ED39156AFA3889675C,SHA256=3291D8897F4BA31E560A39B68B7627758CF033FD97C5DFBED4BD6B2613CBDA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083889Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083888Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083887Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083886Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083885Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083884Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083883Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083882Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083881Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083880Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083879Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083878Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083877Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.114{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:39.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ACFFFE9C3958C53CE68A0AA27E6EFA,SHA256=6F2424F191A4490C20F2B89672BA58EE85FDCEB52919A770CC0ABFB605864470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083907Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083906Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083905Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083904Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083903Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083902Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083901Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083900Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083899Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083898Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083897Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083896Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083895Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.614{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083894Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.316{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69DC222E3D814C5C66C7099EF8EB909,SHA256=D752B7D3B06DEFCFFA0D9156E80A406A0F5B371259ED6EED9E3C849DD35E17CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:40.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8807507CC103DA45DA5A784D5DA9466D,SHA256=37EC33F08EFD55A64A26D35DC12D1C361676C72D23808F838EFE50AED1B97B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083909Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:40.676{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF7A84118E2F27AE6059AA6679EE857F,SHA256=F09F6B12A50E304F60339ACB03D03F543436C25CF48B34174F38AEC148BB6AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083908Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:40.348{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B3C6F0D165EA528342FB6A5F350FCD,SHA256=F3EC2B78DAD9FEFD7E11AF8E8E8980BD276ECF5FD4AD1F1BB1B1DC2533FAE21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:41.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFACF752B769FB50E06D585C7D9F7C66,SHA256=E0E43FF2DB7459CE7A8F9DE68D07661200B07C1C35A41E5C8A0DFA7E1D072569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083910Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:41.410{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DAAB9F34BD7B79A5BCE80B4DC4DC82,SHA256=E2ABEBB977587AD98D8CFA42657F4948363F9B11599502FDE2100CF5B9BF77BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:42.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C62419F1BFB67682FC697B46AC21977,SHA256=FF4E7AF75754A1C92C15FA7BA221CF6BB0FF734DA82B02F9941BC27BA1B104A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083911Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:42.426{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D62B2511286762F22DBC08734CABD5C,SHA256=6A1CA972F87214D7A9E952B3A55BCFB884002FA7A9134E877DB854BD27F81BF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:38.513{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56017-false10.0.1.12-8000- 23542300x8000000000000000102612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:43.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FAB797A8FDFD2C6942D0BA9D2A0F3F,SHA256=38EE66B78BBA712F294CC61D018B6F2E99711236C3FADB952637EC5D59B0346C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083913Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:41.748{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50533-false10.0.1.12-8000- 23542300x800000000000000083912Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:43.441{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51533DA8F5BD955621F49213E98F1E24,SHA256=9FB9BC92CFEFA9AC3C2208F864D8EE0D37A42C1BED0F75056EE1D9148C013CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083914Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:44.457{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3823D5AF0E65CFE1F86E1C2D94F9589,SHA256=467DD63C601289A50B9D5319971521118670CE0BBB069752CFA329E6609AB676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:44.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2200239BA9E8CB5ECF0D2FD19039895D,SHA256=4434B8E5401ADD629E4AD9F3C0E86DD8CD317CE7A3E638FE9127723BA7ED6FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:45.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE282C5F0B5347652162DD4225B1339,SHA256=79FDE2D8457CA9E2A01E8E03D763D31FC9EA227380AB0FEA4555FB347FA253A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083915Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:45.472{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC27613368165CB1B0DEDBCF96E28524,SHA256=3A325BF57494B7D622D9F92F266151C8078484063AFA1523E850EC22FECF8134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:46.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DCBDF5368E80AFE1B1CD9978F795B8,SHA256=77A94AA825D68B711E9EBA334C79D873CD0F57D1CF05AD453066833F25A8209B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083916Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:46.488{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AD2B921697754CF2DEBEFC7E6B476,SHA256=E9DB41CC92324B763B40D7BEAB19A3B1F8C8FE49EC24C8F8744948827B9CE992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:43.638{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56018-false10.0.1.12-8000- 23542300x8000000000000000102617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:47.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D20F9658501A53D50FBB2C74357C3A,SHA256=C55A66F09B01BEC796EB6927EB152175C59CC18C6A853A2481D59245CFE228BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083917Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:47.504{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1F5E6EC5E99ABD118DAE3A4A19A5F8,SHA256=A4BF72B00AD7AD16873E897EA29E47521191C5B779D3446B881A4E6FD5A2B9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083918Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:48.504{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19DC58DDA2675FAD1226CEFD47D87A3,SHA256=63C1482F1CA97CFB4BF2B72AD1BCB9960C8ECD89B4E566F49BCAFB78A7B9E673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:48.841{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35111D03E1A2538A682E9B8C297D9839,SHA256=4EE5171314334DF7F7DF2207EC06042CD962B404A1AA0AACB68DC59528C1FC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.935{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85124704DEF0CFF24F647994074BBBC1,SHA256=EA18014F6758D938697110BEF1C0F4B65C688E7042483B67FA5ACE295C668021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083919Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:49.519{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7DF0471317CFCB7EA66908B64DD579,SHA256=8D3D5A3219DC88BBA4CF20A7D28E15F975BD0183B0419F9C9EB9E00F75724E9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.826{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083921Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:47.748{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50534-false10.0.1.12-8000- 23542300x800000000000000083920Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:50.535{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5077CC714F26180E22674D3E763472B8,SHA256=A7A276D327E51A726D794F910DF14C224EEFB88903237AB72BE9AF2CC70C48DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.326{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.029{8D4DD44E-CECD-616F-9502-000000000502}33602724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083922Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:51.550{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2FAAE00E8B3EF413C6234D7AA235FE,SHA256=8916FB6AF00FD3F28CD8ADB4928A8EB19C37B5BE008B3BED71541FF8F71D396E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:48.747{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56019-false10.0.1.12-8000- 23542300x8000000000000000102662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:51.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917EF7E351F19504A6364F12013F5AF6,SHA256=65D909EEEF075C8E7FF0924542A2B5C7F3366CA13D547F0F9A73FB002F2C760F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:51.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14CDEDF2AC930D5FFB02FE1754E5CB3C,SHA256=23498F8E347937D737F39455062135876DE58DD7C6285244A4DC43B1B6DCE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:51.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012AC852AB06E96626A4995B51531AE4,SHA256=1087CB254C0B4534FC555AFF1782541AFA39C48045B915A777A6662F3E4A4531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.998{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083923Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:52.566{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431E9523FAAD1EE393928B9FC0B211A7,SHA256=E6AFB906841296220A1A81B13B11491B8215637D505FCA8662A7F9ACF2B9C88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.983{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.435{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56020-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.435{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56020-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000102664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.029{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FBA9DDC235FE163EFCA4A00896BBCD,SHA256=084FD848C8149A69F5E340CDC26FB47255955414F0B28731756F49D699C6F8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083924Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:53.566{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E1EB47637885879595ED6BC276ABC3,SHA256=BDFC20D29553E9A31E9A9D1DD53834FF8A7775D71857B1F6B66E0DF009E7511A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.857{8D4DD44E-CED1-616F-9902-000000000502}50204000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.154{8D4DD44E-CED0-616F-9802-000000000502}42082660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD54EE3E3D3E4B15846A49C2F10A41B6,SHA256=938917077BDE1579F27EEA6BF4054B8DA3E671C7B879A30A0838F181E2B0B0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083925Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:54.582{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D959638C8407EA310ECF71BB4382516,SHA256=090A747C72DF759783035C474823BB97026891A975BA255BE7A1991BF492E744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.544{8D4DD44E-CED2-616F-9A02-000000000502}50164316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.326{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D0062EEBA4056A0B5729E0DB8CDB69,SHA256=D347A77D898E36A532F5B6D039C5E65CFF9FAFF66DD9A4F48F6F3C111A40B98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917EF7E351F19504A6364F12013F5AF6,SHA256=65D909EEEF075C8E7FF0924542A2B5C7F3366CA13D547F0F9A73FB002F2C760F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083927Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:55.597{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043EB5B036C60526886A5B19F9722191,SHA256=A3C7D5C97CCE3DB4980DB7BFAFB9315F5A0AC93A30F71CA68C17255FA89C39BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.576{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.341{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD10CB4F4B953EF5BEA078CD09F332A,SHA256=11D830C970634C2145AA79BC9C5B2B9C142705CD0C47563DC9CAD9BE4D7D0264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9467AB0BD653A05943677D6AAF3E1F,SHA256=4D31026EBA58DCEA32A3FE2D2F0D0A851169DB98FDCA7F606B84DABBEA91B5B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083926Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:53.716{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50535-false10.0.1.12-8000- 23542300x800000000000000083928Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:56.613{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A600FAED37CB143298E9AB214C2CC7,SHA256=B47FCEDBD28C7EB68A693FA1678ED9E1EC25946885D81E3820965B0A827F5842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:56.809{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508CDE95DC8FDF426BF455C29025A1D5,SHA256=C581F3F720B203F1BE3B58B909DA0046D4EC7B173EE09988795285755282CD27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.622{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56021-false10.0.1.12-8000- 23542300x8000000000000000102727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:56.106{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9EE20AF595A3B609042B945E2200AA,SHA256=8ED2188767990DDDD327C2CCBD1517690997C7CC75AF72C4ED67E631AA824635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083929Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:57.628{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74198392FD2099A98192926107D14547,SHA256=B594CA50B5F949709950951B8951CA63D1F41DBBE2AA21F7694164CD9086DE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:57.184{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22879C190CAEC2AF771D1920A1F7DAEC,SHA256=07D831A96B789651C62CA856B5ECB33556BB8BCCE84C627BAED89CFB1DC32006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083930Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:58.644{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFBE83888F345AA580E22872AB125B5,SHA256=823D801789559BF57332D6E6956FE1FBAC7AA66E644D8DCDACF683517DB857F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:58.216{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CD8BC6030B84B77EC2954525052A66,SHA256=C7D9B4403BFCF2147F6433ECF2B39C341D76401F2EBE31F833C5DEB2617D686B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083931Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:59.668{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009D6D10562D8563CE7B13D4B45FA81E,SHA256=46AEDA4430C79F45C795D3475348F66D87CE85B405485CB7F7ABDA8D8894388C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:59.450{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A056F40D9ED8DBA206BFCB34E31D239,SHA256=255C9A10B5D3671342FD9414C53953FA70E45D22412BABD021F5AABA624192F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083932Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:00.675{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FFE522A1E098C5EDF01E5CDEAA6675,SHA256=C96D38942D073801203A7F0E4A0EE3738253C3D6340F3D07F9C4AD61FC7D01F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:00.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922BA198C79915126C3ACE10852840E0,SHA256=92503A62C9D955A3CAB6270EB1DF0315DEFB46208E2B4C021B1EB4E5B342CE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:01.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A18C4BC8B99A7300C698C5FC7A9B8D,SHA256=657752D8D993EB44E0FA0580B655813A7812CE79C9564147DAB0D45A0D71EBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083933Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:01.691{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298B19437BAE73F3EBAA70B25A019F66,SHA256=79E90CFD667CFB60D07072298699A275694386F7CB40BB0EE0ED08C137E19CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083934Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:02.692{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7670D9D65DBACF896AB8B33EDBC59B28,SHA256=C7E7EB189C922BE7DE4166F2DAC74B441A6DD1C208E726E3FDE1DB080D822A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:00.528{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56022-false10.0.1.12-8000- 23542300x8000000000000000102735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:02.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458652FD45F9F2C2F11E73E528AF883D,SHA256=CA7EA91CB1FD25DAFA922EDA1615AED6A5DE2C002F19BA6FB484B76318739586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083937Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:03.697{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDDC0893ECE0118EDFE4B6D7AA0C1DA,SHA256=875CB859C42172A6828D67177474247C53D55E68B49771C4558DAF183C33A395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:03.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53FDD93418BECB719E6960E370C80AC,SHA256=D98A5C56A5EEDA9EDDCEDA44BD8E11F6452B94FDCD7BCF6140985C6FB0A1B6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083936Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:03.007{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-064MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083935Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:59.700{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50536-false10.0.1.12-8000- 23542300x800000000000000083939Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:04.698{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F562BAB2C79084F0A9C64C7374ACF4A1,SHA256=DF1B39CC1B5057DC243B8A8408A8D9737DFF756CA2180784FAA4B22D993E6E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:04.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E73C7058C4B1B677D151906CAB04DE,SHA256=7BDD777CAD052E61F3F22F028531E1BC9C80D5997FB2412A91594C46445FD565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083938Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:04.011{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:05.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9767DE53C738D37A9F67D663706D6C0B,SHA256=5801F39F503CE728A50F5570A998696D47E0A837C837878222D3D54B96E848DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083940Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:05.714{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63DFA978BF60C120FBF135CCE689015,SHA256=1050AAD62B877E6A9FBB55B17042E0566E4EEF078AA563E21858878FC74E3635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:06.606{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58C551547197ED141469C34CC7833D3,SHA256=BAEEEF56C22F01D91E2B15D9D51CB556F1BBFCB13A8C6575C3F8FAA6949602BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083941Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:06.729{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33732B5991440AC5E90BC7FEBF012E10,SHA256=760DEE29BCDD8536C920D29DE549D547CB5D6D79D51BA2F04C5575923DB21C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:07.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28701A3580949B510134075EF35997B,SHA256=3FC0C8BB003AF3D61E2B20AE00FCB085F088292BFECF8E3379C49BD3B6A4DD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083943Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:07.745{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177AD014812C9B6EF4B4EB88468EA72F,SHA256=2CB6BFFCA9114FD6B15CDE6CCDE869E5DBC8C070AAFAEC993F8E2DE40FD29AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083942Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:05.661{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50537-false10.0.1.12-8000- 23542300x800000000000000083944Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:08.761{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22B7253D7BD148741D294AFA98C6870,SHA256=444B79D551427F608F1F6979C545A743F88FE186BFFD1A999477329F88276EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:08.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896FF5DEDE7B2B0309091EB74F245F8,SHA256=51C9D21F3E90371B4A6D8AB8F6A5106EE550B2EB8C5A6E89E3A620B54F6378A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:09.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47546501196E88D79A01D2815E53D77,SHA256=EA11F0120C22084D6728BE8C3358F50953643B93E0F1B8F0A3914B5CF7B55CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083946Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:09.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BEE6A2BC9F0673BADDC1DD1EC20F43,SHA256=A16133497BAED804A915FA481B70E990FD60ECC354AA59B0E146C65517BF51B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083945Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:09.557{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:05.654{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56023-false10.0.1.12-8000- 23542300x800000000000000083947Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:10.792{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A868ABA59B032F0F2BDEF0D4A1BE93F8,SHA256=9C135CBADE607BBABA4A8C4DA39B6C9FF210BFE414DBAA5B1F79DAB9F2B5817E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:10.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAA14D8ECCAD98DBB60FC0D5E51C01E,SHA256=70C7ABDA8919990A5E1453F341CB98BCA7C787B1C2C61711B83AA920C48D9CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:11.763{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A433B020AA70D5D65B736BDF8846B785,SHA256=DB0E269E56B20537E301ABF9DAE747E03AE8655C0017B844AA7AC977BEF59A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083948Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:09.098{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50538-false10.0.1.12-8089- 23542300x8000000000000000102747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:12.809{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D52C7A916302D4FBA5089259D0CE1B,SHA256=1EEF206111033FEFE61F361E28F74EFD87931F62945B45E22EE99C324A1007B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083949Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:12.010{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FD2628817C147778F182C7C5182BFC,SHA256=1743DB0F392E1BF878E262CFA8408FD3C9AAFB899F7798A1D51999C295C5E921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:13.825{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A786E030B14383FBFDE8D7600B39DAB,SHA256=ACB763DC1D36B8101682B65E829CBC6CC83C375F75D893D9211E5B4D9D9A3D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083950Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:13.182{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A70FB68A92B9BEE4706CA522C10708,SHA256=2A33ADE18DF5B44739B7AB0B1AE210FCA9FCD28452B0D43E604F245D7C6047E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:14.825{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2162D05F93C7C31DCC8882A482DF9E2,SHA256=70342E969BB76162FF34F5A4267EE4ED310CDFB0443A107B9FB7B0A8FF8CCC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083951Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:14.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409E9F861DC30BB0D2080BE13306559A,SHA256=4A91B610C1F0FE87496ADC02983954AF09B2F5868F3774FADA0F3AD38B93537D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:11.591{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56024-false10.0.1.12-8000- 23542300x8000000000000000102751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:15.854{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6227C07A438B0F7551A7DF73DDD59,SHA256=0BA887626D8E311578BCAFECCF35AC1E26BA4BE636381360E0D3EE49CE3866C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083953Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:15.401{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC961D67F331F7B5B7A2770C657C45A,SHA256=FD6245B4CC6BAFBEE30082A7EEB755132AB9320D9D5912ACBB3B93146252F16A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083952Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:11.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50539-false10.0.1.12-8000- 23542300x8000000000000000102752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:16.854{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE59E09AA48A005E4432B47AF6A917F,SHA256=051C50C87003160D04843A2284142C7651EC697025165ED108256D31802A7C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083954Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:16.501{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478EC72A8DC0DA92D6713090128A8628,SHA256=39CEF49C6E67A0A11E3B4C3F790048C018482D38D2CC308AD07048F2BB9067C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:17.863{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D286519B9E09EBB756CFFAC355532241,SHA256=F1F1D88D84ABFE1CF4D18C9B4CB78D9D0B1C9D928EE3F8DA382E22054B199D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083955Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:17.564{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1248602998E7C9F63FCAB826BDF33642,SHA256=644B523582CB0D9C0D4CD0EC40C7DB5337F3841068D5FC3DD1B8601F1FFE0FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:17.561{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-064MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:18.877{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A72BD4A70154A5005092C3623B4463A,SHA256=5FD4B2B2A8F0EA790CF5F151FE9DE1804625AA915E2EC3C9F5E965F8A2CB8EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083957Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:16.776{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50540-false10.0.1.12-8000- 23542300x800000000000000083956Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:18.657{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BBA015868E28571E34629D84D45F69,SHA256=A6BC604B55017C6D78BD2BE532EDF575F8C752E91E606B3FAB36BC16A2031850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:18.567{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:19.880{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5790F67BA6C1C7F7C1BB5CD4B89CBC40,SHA256=2271454782D5452DD2EC4E4FAE5A409E6DAD46FA1446159192693E691FC39308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083958Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:19.704{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916828045A22C5F473B7517D30B88CB6,SHA256=965166C24B14F91130F491ACF7FDE24E60D4E49943DEF31D46291632D91B1DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:17.598{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56025-false10.0.1.12-8000- 23542300x800000000000000083959Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:20.782{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC2E2A2800E2EDA4A3B90E1E2AE5769,SHA256=DC6E683B01BBFAD22A233BC234E73ECE1F9BF420B0EDB46344AD07EF4EAE2B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:20.896{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221AF4B17050F45266BC046B81FB0FD7,SHA256=AF2B1A386E7FCF8DFA43C29C73E3850B12B99FD7DD52A958D3386B104462D71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:21.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE2F5CF3BB5CB2C4F1C5AAD355E2F9F,SHA256=74EE1C357CCCD1DC2B7E62D65E7110C82ADFCBC03522CA48CE7F7307F01A2141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083960Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:21.829{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E6FB4AE64CC51AE567D26591EF96E4,SHA256=3E6FB788E26D377B23DEB31C46DDC53C12D80083C2CB1F07AE1F9AC3131A8439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:22.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14263F565830565BB57F1F7C631F9CDC,SHA256=3DF0896FC7381FDCAB46653A2F5C6C3344C2E506A152BCA34CFDB1543084AC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083961Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:22.845{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B50807A5AE5CC30DCC914CEAA59F54C,SHA256=F04380827FE7D69BAFCCE525C994541CFE25C3A0AED93B38ACD71FCAFBED1B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:23.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5436B9C6DD8950417D6213C4A6DDBF3,SHA256=1AFED5811EB8986C934A262B3918C84E3ECE1BDC7F6D05458402D6B00A992EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083963Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:23.892{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF740739AA0D9470803B64E123AB898F,SHA256=7E3684285587D9D766E27B1A998E075994D653FB751D96757F5495BF72E9ED87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083962Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:23.079{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=86089DBD44FA8098180BA387A7D91C75,SHA256=E1AB4781C08CB2969EE9D73CA81DA62A166C47A38ADD8040613CF1BE778FD541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083964Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:24.970{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CC6B57406CC9FCCF02341EC682DA63,SHA256=1B6D4696D3F98B8C5E53A04332EA65E95D2C18FC5D88A2455BC3089BCEBC0919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:24.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09CEA5CB9C9B6A9A586DA1F1C2CACA5,SHA256=05CBCA4C7E511571E9DB3B84FD4AC1A0399A3575A428C90392768233ECA431CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083969Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.985{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1EF4A682BCBDAA590B2C7D0066812E,SHA256=7523EA27246EC30FDB20DFD04E5DC347BD0BAFE298DBA499CBC8EF842B58D3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:25.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94B6B186152CFB36818421BD0844FCC,SHA256=4592CDA7ED41829C1A92D64475681289900ADB4420277C4DE70E3A981AAF6605,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083968Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.313{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083967Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.313{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083966Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.313{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083965Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:22.792{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50541-false10.0.1.12-8000- 354300x8000000000000000102766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:22.662{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56026-false10.0.1.12-8000- 23542300x8000000000000000102765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:25.177{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:25.130{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=35A5DC9855799EB554271F2657FEEE41,SHA256=57D62EFCF53E34522D9F07AAC8B46C1A8750DD6DD8B89C098B4850DB19596EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:26.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBA9FAD8E195D9640FC498834A6DD32,SHA256=C1E83E5A354482396D966B2745A894783CDFA3428E68C745966578B36BAB2ED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:24.647{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56027-false10.0.1.12-8089- 23542300x8000000000000000102770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:27.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AE4F2F9844F72F4AD22452B93A3622,SHA256=5CD051B7DC24AC4EADFA55B7C2AAED7E031517F8F1DF5BD14A526C320C173509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083970Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:27.001{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AF76C68A45775F93CF2604782075CF,SHA256=59ABD8BEE6869774F12907DB704BD88915E6C5C238806C6461130CAF0D98577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:28.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B987AB5E68A518764ED866892B4398,SHA256=9DB518F1534904EE881D261C2315EA9852948E8F4B11CDE4D725BDC91ECF57AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083971Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:28.016{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0346B0AD3F7EA56CB014C020DD794B97,SHA256=8C46684EF9C9EF69342217797FD25557EAF5BB8916E47C0F66338196B45A4E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:29.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E27B684B08D9463271A91BC3B923FB2,SHA256=757F38C1AEEB93F46CAB52C5CC5CBC963B684C7AF16575F56D5E83785E5CF37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083972Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:29.063{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22447F6F9ADCD8BD3AEF03187ADE7D80,SHA256=212E72B70342AEADEA7DA37603751A59C24CF9E8CDE7164D2DCE8877007426E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:30.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16109EF744E8167FFA76AAE1A37E6F36,SHA256=BE14CFB8FD5DD6EF1D6B61CC8CF98FB55E66D95C0C00EB6BC249C23FF619C49D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083974Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:28.557{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50542-false10.0.1.12-8000- 23542300x800000000000000083973Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:30.126{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD3A3C8E09A61A3E8B1BE12D414A7CC,SHA256=E4F89DBD3D7E8CAC92F88745642D5F7794DC731D308264CB0BE63FE353E909EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:31.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89287E0C6454712492A3C0DDF613ABB,SHA256=0C4FCF3EB7DDA56A0ED868D3C034AA87D7C1BAF73F4E7B78D2A85DF19FF824E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083975Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:31.188{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FD8F73CDBC1453DBE4794DA202B39,SHA256=CEB200A62579D912BA4444D825E3B724EEE4514925683C15984F7DA9743F67F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:28.537{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56028-false10.0.1.12-8000- 23542300x8000000000000000102776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:32.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F899FD6B65F98D3AF07351648AE19695,SHA256=722BFEE864FA94B2C1CEB998713AA3B629FDC714DBDE91FC79EA50F3C90BFFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083976Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:32.219{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38594D1F0969B10CB4430B9536F7F45A,SHA256=644CF3015E2A2BA7EAFFC4AE96A8CB52878800D6F5215C1B6238637C25CFD076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:33.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB63B457CB4409A426D01AB8DBEC1E1,SHA256=6012A260B3DDCB55A3E2270C683491F4800F801967E27445460E0BB0F16C682B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083990Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083989Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083988Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083987Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083986Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083985Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083984Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083983Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083982Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083981Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083980Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083979Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083978Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.408{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083977Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.266{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF573FC9A4699EF0747B19C701B9195B,SHA256=65247C854F851FB6E20D17B1A7C68F3FA3A4EB7EA530A82E23E4C30E85417E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:34.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844D0334A944837C2BE0E59320EE4CE4,SHA256=F07C9F35BC1AA3565ABB933B05E9AF4B3BCCD839202EA823460E985A1D5EB20D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084006Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084005Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084004Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084003Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084002Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084001Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084000Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083999Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083998Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083997Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083996Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083995Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083994Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083993Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.423{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF0010CAD19409C57254379FAAC34E3,SHA256=A1DA4B686CBE9368B78EF6FF6840EEC87E9FEBD7D0A5B86F9154654653A72FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083992Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.423{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A664D05F0B5E4171FE7CB932E8B60916,SHA256=D3D14D6E25C891C7BB99D888FB8D8C3915382B4F8F4CE8C75593F8FE37CFB8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083991Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.282{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BD31CFB9C12D0B62CDAA08445A3658,SHA256=55FD01FD3C1A5F138C85E1F4757B5C40EF33069F9BBF305ACEC048B141ED2D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084022Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.787{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF0010CAD19409C57254379FAAC34E3,SHA256=A1DA4B686CBE9368B78EF6FF6840EEC87E9FEBD7D0A5B86F9154654653A72FD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084021Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.626{6F8252D3-CEFB-616F-6E02-000000000602}15481944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084020Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.563{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234D5C3A2653F38BE61B7AD9A837DEE7,SHA256=C866CF32F1EFFAAF217307F30D9097D7C62280E7B95580D7C61AD9100C533C95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:33.616{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56029-false10.0.1.12-8000- 23542300x8000000000000000102779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:35.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539437C3196B7463CA3BEBF501C1F19D,SHA256=B0F9C1738A445832B5869AB46235ECB31F8F18CEAE1D4E73A617A5B608B0FC04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084019Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084018Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084017Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084016Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084015Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084014Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084013Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084012Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084011Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084010Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084009Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084008Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084007Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.423{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084037Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084036Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084035Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084034Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084033Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084032Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084031Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084030Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084029Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084028Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084027Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084026Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084025Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.960{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084024Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.787{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99206F840B61E4063D8AC7ED11B2605,SHA256=CD3ECDA6237026CD98C6BF181F7173EC01EC06BF12822A76D4BC5CF4F418C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:36.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2395F1819EB059722208B86ACD12AE,SHA256=3C6B1D2E976A03198B9ECF86A13DCD0A5F6C289C318C058F949EBF37AEDAC416,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084023Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.792{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50543-false10.0.1.12-8000- 23542300x8000000000000000102782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:37.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDFA58296DFA9AB94F58E82F73CA71D,SHA256=2C8054F106875B24D6CB4B803FEE7CF72F97A3F21B57F41B45B3077CC8D4B058,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084052Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.615{6F8252D3-CEFD-616F-7002-000000000602}32642432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084051Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084050Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084049Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084048Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084047Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084046Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084045Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084044Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084043Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084042Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084041Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084040Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084039Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.460{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084038Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.209{6F8252D3-CEFC-616F-6F02-000000000602}34442380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:38.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE68AC0F68B35AA76272E2772F22DAE2,SHA256=DA4C6808258CA4F9002FCD2A214EBFC01D50A6937380F2A2F8EDFD7B3765599E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084068Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.303{6F8252D3-CEFE-616F-7102-000000000602}31362760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084067Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F59BDD315D16DF115FC1A04EB3DCDF,SHA256=CE9AC7532E0DF1EAD6900355D95EAA874EB67E29703A9915508942196E9CF124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084066Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B65825E389E4BAC6E9BD47306701F00A,SHA256=47DDB3292D99B272AB78FBBB985C0096B84EFD89D65AE449D385770DFE5C2849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084065Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084064Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084063Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084062Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084061Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084060Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084059Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084058Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084057Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084056Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084055Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084054Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084053Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.132{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7235FE16C85A64BBA5B41B4728BF42D3,SHA256=55F45D91FF5B6B2C2293B050DE423B2B1DC6D48CC1D735B17056EDAF72B92EA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.616{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B032DA63D49702BF492D35DB89B773D,SHA256=D0F3B8A9EC668C900389B44325DBEE55066ACEEC9579B304841B7809EDFFD50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603A2E4921AF6F7982435B6FBF1282A1,SHA256=4D9C8CA71E1AD61B8F08FC8E45D45B1160AF78E802EEAE0FF25BBEB403A18C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:40.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BAF06B1F159315782D0DFEF6C05B7C,SHA256=6F1140EB47749E50CF229C8D42F2FBA4FD3BFAB455BF4CE6F20696FD2B6FB157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:40.772{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD05B3DE50704D63C64A227C8374B035,SHA256=375B032CD60E32B6317C87A40E4B1A7E08DC37AC84317053114F8DBF1DA9E241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:40.178{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2CAE50137624EE04F6E03161A401AA,SHA256=082297BFF9AD1339C8DC988C19F573E617E213FBA0CB5DB4394F0F29BF7E724F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:41.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC723C5E1986039334DC0E97D9490CAA,SHA256=3C79FAEA64E0E736CD9350B15AABD40E3DFE51C98663CB26F09929332A9311E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:41.193{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FF1EF5030137B92626902402F4FF16,SHA256=7D3A27BB5172897C3B64883B2FF77AB6E153E52BC81E9002DDE6BC065DD86D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:42.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA25E604E138B3BB69B7BD9877845826,SHA256=79D7A77C36327B2BB5355085C1C0B0A513F982144EBAD4EC2072A183AB9DF616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:42.209{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8B30EB59B9016D2EAC5AC95F0F11E4,SHA256=637A92E12D622738B633B2DBCE7F22CEC56CC3AF143953B797936E1E617B1565,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.563{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56030-false10.0.1.12-8000- 354300x800000000000000084087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.734{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50544-false10.0.1.12-8000- 23542300x8000000000000000102792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:43.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF008328676A9F1FC056C74811237BA,SHA256=0B5512D3E4675CDC8348811C3EA0FB957093B414C05E7A597AC9CA1007F8B977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:43.225{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435F47B0351F203824B4F30A653F5577,SHA256=3850EC5C7909606A0EFF856F7B9BF6FC1794A764BA0981422F7981372CA89F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:44.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F19D1F62783C7BDFD9418457FE9CB7D,SHA256=6F6AE774E108D212530D7AF340FE5F626971E5A1710F4FC0D0021D0640096604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:44.225{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC92A2AE6E4A25C26447EBAA95CA665,SHA256=C2265B21CC313EF9CE876ECCD66F9688F624D37B65BC265B4C2FB30BFC916BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:45.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3597196599125B4B325CDE707DD235,SHA256=929682CD256BD14AEA9B4FF9C51E12E9D5B5085C5E3C55A729BE6F699EF23719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:45.240{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA2D3EC78E1ECE4FB35FEFE2A0DE4CC,SHA256=1DBC5E2195A895DD00F57CF12F389D736316FED6F39EEBD2E297EFFC4756A996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:46.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B2BED39EA58C992BDB9BCBBDA8FA3C,SHA256=6877FC06D1187ABCBF509F6BDD074B0404320DB1FECEEBF0444DCD27D89133FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:46.256{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5C1953472921780B7A539D2641C4ED,SHA256=CD7BBB5EF78F115207434AFDBF259822F372471CC857A750190E78EFB55DCCD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:47.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26C5FD048DDBC83D798738C0311501E,SHA256=F9E3A5C8D4B92EF2A7924A56E078C2BC27154C54664C00F48FD8BD1CBDB229F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:45.718{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50545-false10.0.1.12-8000- 23542300x800000000000000084093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:47.271{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD4B69A94EA87788A16AD3D119C7AC8,SHA256=12F275053B56C70EABCBAAD85CB93469F9F92FD5421710225FBBFAD75621887C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:44.673{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56031-false10.0.1.12-8000- 23542300x8000000000000000102798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:48.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2A3534E758D8FAB92F236A74E2800C,SHA256=17BF458F1250CBE40E08DAD68559EBBEC76CEC966D50F622F8519C4083528C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:48.287{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77E2C1003F7C9A617E24BD35263FEF8,SHA256=9AA8AA8F9A0F662B7EE3AE285156DB83C4031049A29BB7CAFC54660320E1ACC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA2B82BA981D6EE72D893FE7C048F22,SHA256=F9ABF4BA4B7BF406149BFB49E775D465B904E1E454609B567C62B6B2B7A749C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:49.303{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9DB7068445C08486537F0A3085E2A7,SHA256=AB2A70142786B0DBB7B07FFEEB3896BD249B59B45458EDAFA3CFA8ED9F89EDD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.813{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.939{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C5C2E6372400FAD154201992B4F5B8,SHA256=7D6A8ED3C5374E7C05D59E442AD12DCBFD847F1842519DD6E910004EBEE336C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF01312245253175D176BCCE79A8E62A,SHA256=25FBF98225CB3DF3F1794A5D41CF2F99DFF9B5FCDF6BA8E11B4AF3BD1945A517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193C70CB4DB80D6CC2D19011C64523E1,SHA256=CB77E8B473615C4FE7DDC571DDEED3FB2DF6B64E8F4EE2E8151C0EB5B2319DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:50.318{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E129B4ACE1D4099C9A2A085184A84347,SHA256=3BE202CA8BEDD4AE24E718D2229AC45DDE2386767E2607B52411B687A1D466F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.313{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.124{8D4DD44E-CF09-616F-9C02-000000000502}13084688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:51.968{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF01312245253175D176BCCE79A8E62A,SHA256=25FBF98225CB3DF3F1794A5D41CF2F99DFF9B5FCDF6BA8E11B4AF3BD1945A517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:51.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE42832A65A37383E59DBB0E9EA53F6,SHA256=1FE0FE9B0E659827A372C5F03033422A6D4DC77E8166D1AC9B9EFE657409A469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:51.334{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403D222068A040BE3183389C7D3B7A3D,SHA256=7BDC2E2B4465D4531C05C610325F18B88689CF0C818E79C1BA6AECCB62BDA937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.969{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AE4FF50261FB2650AAFA32EA6F924C,SHA256=182EA567EA8CA567D6BC0E7E23EAE6529D0E359DE602733F2E928E322CC3EBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:52.349{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E566B65B1E6D3DC49BBB1631F15E300B,SHA256=1C2F81407C49BC066F9DFF56F7CDFB8DDB29D5A65C9003A09A74413CA1BE8BF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.438{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56032-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.438{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56032-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000084100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:53.365{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89878DDFD7BA40D056EFF9A522ABD0A4,SHA256=02608E1233A88E5EE31194D5BE48EC4AE1F019FD707B64F1946E57B1E8506EA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.579{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56033-false10.0.1.12-8000- 10341000x8000000000000000102875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.656{8D4DD44E-CF0D-616F-A002-000000000502}19322860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.469{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.203{8D4DD44E-CF0C-616F-9F02-000000000502}45124624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:54.381{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F753B724D3F9E1174C278C936396F3E,SHA256=147E7B0A366AD708554B747D3BFAEA3F60CEDF15111C0E03370E6B106F8E2972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.390{8D4DD44E-CF0E-616F-A102-000000000502}36444148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.359{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E4007BF30031A0CFB5059C529E77D97,SHA256=064708C01013A67F43B7ADF6F46B5DAC47D9D3F7B9357D745863675BFDC21D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.359{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3636E3498315D2374A7A9F0D681B9F6B,SHA256=74DD84F5F864294C7D0E78DF6ECBFEAD24A3BAB7CABFE235E2BB5832E3EC157E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.141{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:51.703{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50546-false10.0.1.12-8000- 10341000x8000000000000000102907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.501{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.156{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9F7B36FD4A5F527107D64FECA0A8D9,SHA256=98A271F97F7325FA5B50269261B5C8F3BE085E6B0B31D06B7DC9C15466EF7C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:55.381{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3F754DC72B612725903D18E8569E21,SHA256=5F0D2D246F3E1B2B8BAADC454F2594686A8E2ED78734C44A7646D8EEF1B7A21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.140{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803F1062A5DA08667D66BBD9AD019495,SHA256=BE356759B3A04223AD618082DA824F979E4AC550B2C87A11B280E4BE23C3AED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:56.386{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA10A276271745EE0E98201FE920AC88,SHA256=BF5DE92F3AC81B6749238F57726BB4F26C1065B269CD2E4845244CED8D32DDF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:56.567{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED1721B6C163F78BE1A74B5AD9670C0,SHA256=88A980185355F19CF68174870D3553CABE8688258FC312634167C9129A119379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:56.207{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C543A70FDE257DE258F61601EDB474,SHA256=B5BCE0BF19CEAC5ED3B96CC2EC1A1F6AEDF4A2ADA67C677FA2F1E714F311FD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:57.402{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC5E609F00CB0DF8FF2BF06B689BF96,SHA256=B32E915A6A51286F0F0F046421DABE70AED3B06B533A5573739469DAA93C24C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.709{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56034-false10.0.1.12-8000- 23542300x8000000000000000102910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:57.207{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5038C4C0CD5977A37B4DB00354ECDC,SHA256=0185DD87DACCCC99C7D794FA4DEA21D85B9197C0B03FD7F1613831ED3BC77083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:58.417{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3305E05DD377D8FE924E6D68FC3423B7,SHA256=551ADC44F69213DBB743AC9122135EF1B6EAF323BE905740815D575CA6A2377F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:58.208{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E492451621354060BF239A573B38C38,SHA256=2A6609DCCC92647E3D84E092C6BB56B8FA57B9369D587E4E994AE90076D66A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:59.223{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3AE907C66E4401347FD369C7A4E84B,SHA256=C9721F4CEF98BEF1652F07664B5D7919190341C32A60947BF0C2B8065EB5D30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:59.433{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0969158E8E071833057A3E2FB11647,SHA256=EB1EE84BFBFF00E51C1E1E2D151DC0E4A42B66BA6D7D80C81FE3A89E66AF88FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:00.254{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA2E40C5658828C95B8A0C671A24E36,SHA256=87F31C1F637F3B95D6D1C8645257EF473B3E1BA8B15A34915298AD99345C12C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:00.449{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE3286FB24B918FDBBBBEC450BA76A7,SHA256=3F8CAFF3C823292E83489F95F3FB6977D3C3FED3602CFF066CB942D219F82E24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:57.677{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50547-false10.0.1.12-8000- 23542300x800000000000000084110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:01.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241D1656BFF33FDA06A3076DFFE9652,SHA256=7D74C4FF432D60764A8AA94FBD041312EF003438D6AAF81C3468CA1B1CC65265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:01.286{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B265110EA7642901A5313B67E63F4FB,SHA256=88A70D7CA6DD76A5177A15FA64A3F233582B37EBBF75FF95B4AD4594C52C194C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:01.114{8D4DD44E-BF3B-616F-0D00-000000000502}9003292C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8801-000000000502}220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:02.480{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23060E85A2FF302A3B395A668F604981,SHA256=26A44FC8D0270FE43A8BC3DAFE92FD6324D0346514D53B9AAB76ED616377F623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:02.364{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C513D8C5F361275DEF55EDA8D858A3B,SHA256=A7F9653390C9B29253FEA4D2D1888A84701A42A7216D0D29BC37D12F0B38C8F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:01.694{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56035-false10.0.1.12-8000- 23542300x8000000000000000102918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:03.379{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DBB8182DA2C0366BEC5BD521AA1D8,SHA256=079DA38FD130DDB685F805A349E59F94FA9924613A8FD45F2F5BB8C8E51AA7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:03.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE9985D7F132B8DE8577D1C11D4237F,SHA256=58F43CC28E66F3C223407B4A8A65ACA970A4467389F89B051ADD6290370D1AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:04.379{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E844553298E7939E63CA1DBDBA494C,SHA256=A5D71F089DF49C3B07D46C2294FD647E5510CCE115B0FBEC5B5BDAECB7943B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:04.531{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-065MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:04.497{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41AD8B5A2C219466D041B8AC0C77728,SHA256=23FAB908B20D3B070FCCE1EFA238B7FED3DB217D300B16B7CBC1377D9857B667,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:03.648{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50548-false10.0.1.12-8000- 23542300x800000000000000084116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:05.530{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:05.498{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BE42DAA137174A9848E79C97D89A1F,SHA256=70BADD696128D3C19F436D9FED180FEA14FFDA12F11602C6E1490AED13EBA243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:05.379{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A483CC87311B22057FB34F6E472533,SHA256=E37C96413EFA23591DCD4DDBD12FF2C581CB2EDCA820A1CA301DF5E796ED16AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:06.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDCC00BA94A5958FA11315E126C85CE,SHA256=057424FC209C2C8D44B3BF9213CA73C18166CAF2A92323C5B1833ADD9A58DEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:06.395{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1170B641D0AB19FD82FDB744696A3BD7,SHA256=D7BF04BD2B1FDD69D4B25EFCEA3B6B0F06D399A265F0A57CA177EB8DEF73C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:07.567{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB94E83F00BE73549F6E2077963B2A59,SHA256=01F329E5E7CE116EA917B6002733002B7030F1CA95C66A6A354A2B13154E7360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:07.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327D94EDD1997D60E37A76E58902163D,SHA256=513E0B17EF51675BFD9C996197A4A816FCD4CE55BE7F3F00E1CAC1190580B4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:08.786{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2BB4B7C0E20672D1631AA26C7563D4,SHA256=1529738B5735E9F33553A982BAA3F1D53FB56EB3FB768AD8474437E822605007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:08.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68766509E20D29F8CDF614220F9BD4C5,SHA256=21454780439E703EE4619725D3FBDC124509ADCBFFDB6911D6B634B5D90A0ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:07.538{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56036-false10.0.1.12-8000- 23542300x8000000000000000102925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:09.833{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9223B83061F5C102FD144BA825F9364B,SHA256=87EFBDA9860E19308A6C921AEC0C1FF2337E0B2BB068511E5D9AF4CC327CE329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:09.586{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:09.539{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F25B3E7A20C6D204FF6BC2C85BD92A4,SHA256=F7621AFE3A1AB00609A9CDD01C84644AA352152A4C58A5EB32FA90630B153DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:10.833{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7800BCC72782FCE3AC6A9C0843FCBCC0,SHA256=5019A0D43957A155E9E051761EEB3CE1098E00A37FE5CCEC4CD183A189FC3BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:10.554{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795207A8F079636C898B4CD04DC42BF4,SHA256=6F199C83B05AAA14036AD18C332EEDCFA215BB8C5CCEE006732C80CE818A6603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:11.879{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5627F552AFF0F8DB674C3A3145151BE7,SHA256=66EEECD2095BDFB613F958F856545F7520071198006E6F38A7006B561B0B418D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:09.127{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50550-false10.0.1.12-8089- 354300x800000000000000084125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:08.658{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50549-false10.0.1.12-8000- 23542300x800000000000000084124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:11.570{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93052F4D26244B82325D8CE57F2E3D56,SHA256=F1C6320644D5823ACB406DAD47DDB8D5A0A9A93193C56FEAA5B92B63F485D29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:12.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B097DF4A3700B026C70E16C40ADF9CC3,SHA256=8ABE822292D46B3AF4C8DDABD1412106C97D915A40D7EB0FA2504EFC3588F767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:12.585{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98802D696E82077F36139691BFD2DD3,SHA256=88029A37DC26025FB433B676143A704EBCC47AD4943D7F9449C25C6C814FD7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:13.926{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB61FA9DF7AF2085EE1E3A90099FC72,SHA256=A9469916F5A4A9CED37DAA50A1B553098094F38F758A56ADDC7EF1AD842FCE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:13.601{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579BCF44B779D0CF7016BE9F389EC497,SHA256=1898056A503D6942E46872F4BD767E2B0025FFE257D008C75565EA7FB0D51D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:14.973{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192C1CFABC2392808EB99596D20A314F,SHA256=4A84B8A04D80858EBF8831A369EE140D4DEC478CB6879CE1E047AF6659136466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:14.617{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E496763256C4EC62EE0A7BA16096675,SHA256=6D2AB695CA774A46F515940960F7F698F792FC306F47671B2554E3956E267DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:15.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B01E17D81CB4DA269C7E9656188965,SHA256=E5AFABD4C9E7DA5CE5B3AA8D825E8B5D3A56A19E22610F519BA78194D0FC144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:15.632{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C9DD997EECF20F1193546574F0588F,SHA256=F0FC83A09D008778C38B1DE63F67D769AD625E609B20A2280B6B44C409A42611,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:12.600{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56037-false10.0.1.12-8000- 23542300x8000000000000000102934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:16.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D4541B87D3CF27518AA28A3DFA97A2,SHA256=9BBD19042BAE6BEC5462C4712C98D234EC64DAA3719BC15DE28C746F5AD7BFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:16.637{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB288C87A7D1CE621F17C9B2B5E4224A,SHA256=07C1F00223B8EEBF1A0CBB95C2F4901C0D645D1000E84E9662869E7B0712BFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.990{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBE893AA37381A1FEBA913F21D68AB8,SHA256=6C0F851A2B0BFDA43F4B181A365963439FDE73BDEBE14056872C39C8B88C4649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:17.653{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAD7B40C279AB21BED1B729AB4632D5,SHA256=4B3881905E720933FF1807323771829E718E593193228C148B6687FC25D80892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000084132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:14.627{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50551-false10.0.1.12-8000- 23542300x800000000000000084134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:18.668{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEA586A65E898ECF522F5F4A8DE4034,SHA256=97A90AB1FCFE9A23700ECC2C69FC2AAAA939A9136D82C02491DAF27B21244557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:19.684{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CD511EBE929150DD59814AB2219724,SHA256=0BE8904210FADB7FB14877F519A0B7D305952FD21C31253C3C7D61788B34AE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:19.099{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-065MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:19.099{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01590C0A9645C9BB6A7850CC20943AF3,SHA256=02636B6196469F18B325015ECF02904E81DA440DE2E203A4C88A2833F536D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:20.700{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A71CF3AF1398F70256B6B0007FCD7A,SHA256=1AB70E826BE51CF202A393C4316B830EAFCCD4A08F7E963C701119BD5E4F592F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:20.106{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8783E1D257183F841C32042C3A2D31D5,SHA256=B901724DF929B420FF7A3696647AEC9F58F90F63BBA63319A0643EB639B5D596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:20.100{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.711{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56038-false10.0.1.12-8000- 23542300x800000000000000084137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:21.715{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA04188C92B22CFB9742BF59DB8E19E8,SHA256=EC5B18C765BE376F344F16BE67DB4CE8AA95D5F2D72742C7FD2E777011F6D1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:21.163{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188401B455B74A742890B6A45B949A84,SHA256=61946D0F7510D397B9F806D75D49EDED54E0C04984E389C4748EED3ABA717748,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:20.631{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50552-false10.0.1.12-8000- 23542300x800000000000000084138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:22.717{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B553A407386F4C87848D20B4CB87A94,SHA256=DDF2CB5CC45609EB9364D2A222396E1D6EBED6299E42813FDD657CE43724016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:22.178{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC3B5BCE271128734C3E0FEA7B61CEA,SHA256=EA149508DEE89B526BB32FA8981B640F38FD3F6CCA1B7782CF6C16F689A0B18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:23.731{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B495B9A832061C0BBB6916251745070,SHA256=DE60DE5126C8B2A9BA482A84662369EB4C3EDB39F990EDE0855D1AFDC600736F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:23.225{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144E1DD74D89268FA5243DFE73A97B8A,SHA256=3EFF26B8CFAD04A51931805D53E15E10A9CF41014F862529CA389A225BC08005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:23.090{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=199DD9D76F36F36B444A2A742FD5C7ED,SHA256=1E94E7A21509764645A7B168D127FC20B41402513BECFAB93FEEE2FCC74E8FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:24.746{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FD2201B656E531EAE5D7A285B68D06,SHA256=2B9B418C13E69A5EBE289766785926C94017634116D19A248D45C55C945BE28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:24.256{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75865F53790410CDD31C8DDD5F8D8670,SHA256=46487BBCC86C4465404B1E41A4958AD7102F35818D2ED3101CBC281DE662666E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:25.762{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79A9DD1717C8DECD82FB792C7740985,SHA256=094AA524A233E2392693A4B9410B59080B71D04200F9E648E649FE9BC27CAE96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:25.256{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8F90802B88D33648CE76A65DFA92F5,SHA256=7646B1009A8D2B1D66D6BFE8ACE033A567E2545F5340AE6C140B74EAC6444C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:25.194{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:25.131{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6E2E2AA3C106F3FD3B267B8DB013A287,SHA256=9B468D5FA4DDF5C73A5F80AF5BF6BEAEADEB1108558A6B2AAA8B91FAA0269176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:26.778{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779B8B52E3F798E12C70AC87B5568DC6,SHA256=D99916F7B273F6E450DCEC922A6AEBD797AC7BF87A1CD074060E8028C352F70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:26.288{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA987C96A9DEFA00D974E6FDBB010BA1,SHA256=7FD413FDD74589E309CEE138A858251A7914D811D08B7FEB14DA4A0ECEDF95A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:23.618{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56039-false10.0.1.12-8000- 23542300x800000000000000084145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:27.793{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088019F8CE6F27767A19A39BBCE14845,SHA256=39A7F31FE1F8B9B9D47DB3B876BE517E2C60F28591DF1E0342E6A765F79D5B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:27.303{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5381EAB9F53375F393573F95C65B4260,SHA256=C35D54C9C6A98D60EF64E4A0D4152BE48170CDBA314829FB680FF4738C41F1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:24.665{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56040-false10.0.1.12-8089- 23542300x800000000000000084146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:28.809{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C6FFDF9A3E7FC64235C086390984E6,SHA256=E6E706B6DF73467E710B069533A0B5727D4B8C3A29D7D53ACF07E82097CE224F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:28.303{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF759A634FEDC4B01F07D72CF9D007D,SHA256=A0AF49C1B245225A53DF8CC2FEC813BF96F917FF550936ADC20E28F311856AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:29.824{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8229E4F0A3CC8DAE5C4361297CF2D535,SHA256=A6CA7C887333F1BEDB0B1266D051B4D4425B9C868EB0234F7CD2461E49916C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:29.335{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FD6829E9BA4CCAF9E79E0BAA1F2D5A,SHA256=B774015AEE3B4603F3407C38421979C31F13147EF18A7E2B2A6021834A1160FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:30.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA333AB0755C24B88449A0F2771065,SHA256=1010EC74E6C0638C185EEC20795C6EC1E10B23175298837E4F893430CE14EF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:30.350{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D56DD38931B0F55F4C8B6D5E6130DB,SHA256=6A64EC9F9AC1EC5949124527DE40DE5FBA5227812AF0140EA38091A353EA6B2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:26.693{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50553-false10.0.1.12-8000- 23542300x800000000000000084150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:31.856{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1458D9DE731566BA9C9E5A2DC1CEDD19,SHA256=D168238C87262C69768B212318420B11F0E72EDA8784B24F3FBE99BB9250FD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:31.366{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1809FA2F0208A57F4D25230431CF42,SHA256=1B9C1F7FE813FA7B7EFE502490FAAC89F0F0FEA674A3D3D0616FEA1556EF7E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:32.871{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDD4AE0E444791FFDB73C75DF2F2EA9,SHA256=D50B8FDADCC98A8D8CE889C65E4C51FA731A9563BD820BAC8C3F69D43ED90358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:32.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E02CBDD6AB5FFB3B96B7C1A718080E,SHA256=5A1C03424A7D4FD1B6EF3BABBE401F14D14479DA1A66BCAA10228093C1925247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:29.587{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56041-false10.0.1.12-8000- 23542300x800000000000000084165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.887{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C183DB8E112A4EF32578D8AD3549A09,SHA256=F77EE55429FA0C670FFB314692A0B1C17C29BA656B99B3E875F08E845D497CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:33.444{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153E8A5DCBB75987F5E9EF4DC26FE3A8,SHA256=658BCACEFE384106DF0CADEF52177848F7BBB22D04E7C2F6DC459E1451266083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.278{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.887{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2F4E6A150DAA98E35D191A65FDAD0B,SHA256=2214E1756081E5EDF8F7C5187373EE51E6D8B4FE53C18F474876B2A079C90F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:34.459{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4DC65958CCC00494CA08E0684E8483,SHA256=EBFC63B5F3C41C4B941884DC809BAECAD86AD40C72C044894DC7E34063193DF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.763{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:32.678{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50554-false10.0.1.12-8000- 23542300x800000000000000084167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.278{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE602911E5E5604F662C699B7B4AA6E,SHA256=C3A304F3BC5B71CA775660500ECB20B436ADA08BC302C3B6F19482959E69D429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.278{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23F5BE5EDBE8297BD9ECFC8C4FE3D4A,SHA256=FE6CE6E2C7C6B625EE0F8F95F782295C781C56270D853AC5AC860CD7968F001C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.911{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96792339CF40DC2F6F2E3594C6392B56,SHA256=B9977E169E30183C1FC34118FA64B624F3C32F2D179BC217A7C4B9387CD2652F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:35.475{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E4F70288126B2DA9E14CDF2150F396,SHA256=9948E7A8E0E98E1DD8E196C03A08AB796326333B512124A5C80EC832AC411FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.895{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE602911E5E5604F662C699B7B4AA6E,SHA256=C3A304F3BC5B71CA775660500ECB20B436ADA08BC302C3B6F19482959E69D429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.496{6F8252D3-CF37-616F-7502-000000000602}3036404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.263{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.974{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.942{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FB3023B0C22641716581582D3A19F6,SHA256=05296AAB71ED22AFD81078DFA13D4033045F98009EFCEB03968012D419078125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:36.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D805E00C9A8A9BF2B8EDD226E478C54,SHA256=89197E8160E5B171B95678D09A5D406054F2B96140BB0778C01ACDDA5553B831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:37.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B0D52F30FF64FFAF590588A4BA9B34,SHA256=4A4D795E1FE9F76096B931C53A0C2E7D8D4A842CA16AC4DBA25865305FEA74D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.973{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA598D7217720458078F854245512268,SHA256=9936167869651568B4DB1563F72E623982AFE45A83AF623A20972D11A61B8BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.848{6F8252D3-CF39-616F-7702-000000000602}31803432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.646{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.161{6F8252D3-CF38-616F-7602-000000000602}32322360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:34.743{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56042-false10.0.1.12-8000- 23542300x8000000000000000102993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:38.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88A380F1BB8CE6CF3D9D5268C5495F6,SHA256=9569E9A6D458BE5778BCD1DEC59C1292B7C96F17B582BFC7B84603B3805A4011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.333{6F8252D3-CF3A-616F-7802-000000000602}2844836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.164{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60582AC2DAB3D3D994E140D3F27A748,SHA256=A7EBDC5ACFDFDB8E81DABA1C68B48FF7EE86463287FC757613F1F588C398DD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:39.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C23310F5DB2702153EE8F41BCBC6A4,SHA256=F4EC6054AAC6B893E86A156F1459076888B25752A09055211B2434830C0DF702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.615{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.317{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F81E67CEBA441C0ED982D09AEBF8952D,SHA256=E225775EB9471ABA4591FC90E97D527C8EF6DED88B6FD197465CAECBF6C5E367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.176{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108FB99BD80D57FD8FC150E7191E2231,SHA256=0C20810C25E364B5AE21FDD479C342113BAAD2901B1818D556CF235D0B5451A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:40.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8DCCF5D5366DA505755A28003A6150,SHA256=B1BBCC4D3F332339118D7FAC34931CBD474C147D5637D46CA884084B00204879,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.701{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50555-false10.0.1.12-8000- 23542300x800000000000000084260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:40.848{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F292C4F1470AFE847E9897507A85D3B,SHA256=C8CEC3E393CD5368D8602B74C08ABC54129C0A54EE607CFA5F9EAF06A0628DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:40.208{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6724207FFF98973AB0002A24FB26211,SHA256=8C351DD0472871628DD83FFD29C504667E5938018411249780CAD32170B0C43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:41.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7017A40D4EE7113F4E5876247E6836B,SHA256=CBF8DE7A01A142D6314E95D2C131B903E76D26A7B884252435ADDF259F778D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:41.239{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5C08FF169637ED4563E86D1A264CE3,SHA256=FFA1D3593275B8B8E0413ACDCEC9D2B4B4252B472EF5D33502481B1F28EFE70B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:40.579{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56043-false10.0.1.12-8000- 23542300x8000000000000000102997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:42.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03736A453356771FC8F7B8041E96C63,SHA256=DFC88AC88A18148315A3C063DB8C27F68C9492CD8148F6F6B086D011E556A6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:42.270{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9421FC8A8AEF236300F245286A7EEF,SHA256=B1D0F96DF50289E8840A6662A1DA34AF6B661CAB645CE1780B05C405A5C6B5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:43.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E968398C6BC494FA1E9A4F39AE37D300,SHA256=621F9D4E90759CAE5D12DF818434B6FECD523622CC3BC08D20B6A7131BE10D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:43.348{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BE9FE1B75B70CB596614F6467E5A32,SHA256=C687A351C69BD6C7C9825BD8BD6F54B150BE19373ED262CA86ED005BD8ACF45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:44.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3CCDB7EF834D070B724E2A6AB95D5A,SHA256=6BC9C7BD9948EEA3586B82945C86098117C8244A3C295EF608C8885BF738A37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:44.395{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75233B884C5061DF2399995F13F6D7A,SHA256=A43C4740DE39C2BD8523DB5D75967FD2F9453FFDF884D31C15491E0807D1A7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:45.582{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF540F98244A982DC6ACFEB231BD4073,SHA256=A156AFC308753A8823849B7362B964A59CF36ADEA6D3E1228376581ACC27F4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:45.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1193BFCD42D8BB28F92408609CB40FF9,SHA256=D54300B3EE4E89383C8F0B7B937ACE8D89A0F01EA7892ECE849E24D9788B6F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:46.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA1CB144EAF0A42B9D1599DD2868E74,SHA256=E95384F79B543200E42207777DAF33CFFB2EA1E60DB30415A08F5969985780F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:46.614{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF1BB277B98D607365F54F2B16015FF,SHA256=CD61D583EB18AFF8430168CA50DFEC49F6E30D489D9034AB07AE6ED3F57FB13D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:43.733{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50556-false10.0.1.12-8000- 23542300x8000000000000000103003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:47.685{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE5A38C56E1C3E1DC9BC8D8435E3E85,SHA256=8AA8607F0D47129C620FEA95DEF0C1874874685CE334CE1D3BDC17C8B242058E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:47.645{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8312CAAE3AB9C6C28EBC2326D06FBB,SHA256=0632A32489D0E5FCE2C45D31700724F44E94CB5965CE5A3712628E7FAE1975D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:48.685{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6048B94BA2B12321364B79B82AD2EBEF,SHA256=2030FA3ADA392B716FE3F7BBE3FB30C70DA53BEC81481271E30205AAD38C3423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:48.645{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA143743838FB7F50DDC9F49F6669B78,SHA256=42813065B5CA6CA319196BFD25FE11A119EB748F340C53C0E1115075C12F4330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:49.785{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E900F0DAAD8B7FC1419ABEA6E2D3704,SHA256=F3A43A8AD15870BA4FDE19FF0AF0C052D0C125669E88DD3F6C2A72F5DEAEF7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.811{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.685{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51ACB023593F2184324C719F647F55B,SHA256=399A950D125D97E5119FFA1ADF8DB91FEEE5906ADBC816EB59E203077375273B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:45.704{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56044-false10.0.1.12-8000- 23542300x8000000000000000103036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.810{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5495941CBA3A88742556F262B47ED664,SHA256=D5942F452F066CD3D386F783CEDDB311349C4DFD2344A4B81F4ECE15BF1F4491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.810{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30AA41B3A3A67775DF5229063E995DFA,SHA256=EB558F22E4099F7B7310FA90CD63D5A464BC812643BA57DDDE64756D59A6B5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.810{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DC45C8D9EABF62DEA3F1B37B6ED6C3,SHA256=0581E8FC767A07F291D7096831A76116606F3A69087C06E2173CCDCEED14B19B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.483{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.013{8D4DD44E-CF45-616F-A302-000000000502}18842172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.155{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:51.020{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95249FDC64958698E5FAE0F1085E82C0,SHA256=DC3CD774FABA1A060A654974030410A7CC81D6906452C39706809CA72ED42BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:49.732{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50557-false10.0.1.12-8000- 23542300x800000000000000084273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:52.051{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E11960612D9941F8DD2A4311975B278,SHA256=3F6E4C34B90C1553CAD0EDB5C83131EDACBEE9CC2FC641549D5E626B6B89B128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.045{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCAA5F242D9C3C8D53DEBDA4CE92C2B,SHA256=90C53C4DC30620CB82CDB2A45944B7BFBC5A169322A715C3213C1E4094CBADD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.029{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5495941CBA3A88742556F262B47ED664,SHA256=D5942F452F066CD3D386F783CEDDB311349C4DFD2344A4B81F4ECE15BF1F4491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:53.067{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723ED8CD3EA0C0E5526EE93214DA4662,SHA256=41B99BADDC528BD948928DEA42A52C1EBE92611F3A4AD122BB83326B93685E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.795{8D4DD44E-CF49-616F-A702-000000000502}3323804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.639{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.154{8D4DD44E-CF48-616F-A602-000000000502}13643016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000103067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.454{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56045-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000103066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.454{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56045-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000103065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19788D004C41862771D78669835834D9,SHA256=01638B6D654E50656ABAA938E697BFC3DFDB40137440837B3BAAEE5B9A6E926B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:54.082{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD37C4398A5C9AB7181521E5BBC5C07,SHA256=AA257842C0083B0CE8538BF2165A695199457276AC057816EFC08960C90BE089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.404{8D4DD44E-CF4A-616F-A802-000000000502}3764680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.250{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.641{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56046-false10.0.1.12-8000- 23542300x8000000000000000103084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.123{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A374D5F2F59C17CBED1A9AA7D3D13E2,SHA256=F4C3848BB9F4C221DCDF20BD5F1E61601F79048CABF258AFC9D336290E7BD431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BB83D83C710B6C2AC39E3EE960FEA6,SHA256=613A244162DDBBF24AFAC045E0B7F88C0EA8C69F9BDD5D73E3B8ADDA3ED10B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.390{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.248{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16EF1BEB596CA03EAB03B1CC9626975,SHA256=3B042EEADBA6CCA875DE1C1B61E1C6151FBB0C60125C4C889AB61670E3B9EC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5065D35F6900AEF6ACBB67BBA51BB7D4,SHA256=45F309574EADCE05B8B86B931A67D20D4B9A947515B5A2351F3828350E4F520E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:55.160{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524BD9C6313F8B48083BCBC1C95BD32F,SHA256=4FA879C7EB37864D6908D57AC39F179D28D70A615317371F7208E51895632086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:56.165{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9C3E69D39A1FB9385B50D4FFBB9685,SHA256=2404102006CF683FBBB6541E13F44658C12903F3D990EE67388D39C8FD647086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:56.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E739D319B85A93D57777AE3536DE2C,SHA256=8970788E70B7E34C00B3E3EF954B8CE25B099D824D6D5A10C651C126CCC2E01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:56.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B764E00DD58EDC4C74A9108435AB5C,SHA256=A516BAF0818266F6B62AA9FC9B20FBA7AD6C4DB2BB83011659BAE0BE5503F6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:57.165{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C680BAFB017E4244E8C14CE36111FADA,SHA256=5545A462A3A2C18634AE17147C307DF0D593849222CB3D1E94BEF2F5A9F97546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:57.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB65FBC249C22941A25F45BE64CDA81,SHA256=117FB8B5CF02852B4BB05E3BCB1F624E6BBEBD1FA16C84EE56F25E1D3249EF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:58.181{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076CBB800F29EE96AC83B44209AB885F,SHA256=5C5E3B5EA6ACE420ED8D81C66ABF5266C0F2A8F1CAE9FE322ECE1D8F8013690E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:58.080{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90F74FC07C44B069747A26F9FBD8973,SHA256=34C27662A1108491C5367F88FE8799797C816E581E3904EC1641AD00C7905820,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:55.721{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50558-false10.0.1.12-8000- 354300x8000000000000000103120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:56.677{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56047-false10.0.1.12-8000- 23542300x8000000000000000103119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:59.095{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFA845AECBC906C98C5F7CAA21563E7,SHA256=DD3D085729DCA2D275553F04A6E0F355E7FA88D3D0ED6661565BACAC1A383078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:59.181{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15382882E09C20DA36D17B77C9687DEA,SHA256=B456ECDE61C96CA8293CDD2A7C271663BD1C82B24139B948DBD1E1F469783FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:00.196{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C966F28686B0A21B386151424B34FADE,SHA256=F58038331994368318BDF46B8FF63E0424FAE1E7FBF308CB6742CBC24A0619C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:00.189{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9395D9054F0A84FEF96F0D54884A24C,SHA256=0D8FBF44DDE9B5735A330844E149D17D0A4421054C4E54B8B03C0F2EAC603045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:01.430{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CA24BE14946BA0A90F07CD891D7266,SHA256=6FBFADF9EFAB9F0ACA7A8006A7863D98A198585B6E26FA907E9E24DBFB116346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:01.205{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8689FBE385A959633E5F9FAD67419AE0,SHA256=EE4F045829CA3DFA07D4C77B283868EBCEBDC6734F83A80DD7DC532CC2D5F620,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:00.768{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50559-false10.0.1.12-8000- 23542300x800000000000000084285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:02.461{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61F454A9664909715DB4CE8DFC0FB0E,SHA256=78EBCACF8D2854533A75831C9F14EBF39571F596A76547ADDC7DA561A2657720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:02.205{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3AA2C4F474A7A4C440C908F5761144,SHA256=0A8D8A2051BC2D75D204CF4F668DF375116AF045B3C772465DA5519A0F61F036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:03.571{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932BC11083E0889B1153AA6EBCF40B3,SHA256=C29DD9DDE477A3A06D7741553700A371962D0DCD86910880735C418A8CB53C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:03.314{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0709F0E7418521A229548DE4644B61B2,SHA256=C3B4FA34EADDCA85AE2202DA2D9CCFDFCC5F77D2A90A2C0B26461CC68ABCC695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:04.618{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3207F223524800CD6F5E7C785162DF,SHA256=7B51320A34A670DE38461443A12AEB686B200568563EC83D9083F6E82407E2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:04.345{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4134D6156E4AD640FB4718DB54279B,SHA256=FF9E6F9FC3A12B62C7039F1ED5C49EF2C94FE300D390437EE8C46EBDCB18F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:05.635{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044715B3157B26C228D844BAAAF6C3C9,SHA256=83D1D3448E38F71878F8A410A17FB2DB27ABA105386419261CBE2B19113E3BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:05.377{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A778353E0E5F0C6A7940120DCD43DB,SHA256=698FC0E2B2C74A50C8D6FD9DF46AC58AA2614F09992B81D9F391EE920A8C0D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:02.536{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56048-false10.0.1.12-8000- 23542300x800000000000000084292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.855{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F636E0C81189927C474D5AD14E6346,SHA256=D40B9F74145221EB71C7CA924718604D3FFD0A80177B8D99861D97F9E53A972E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:06.392{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330EC92A24D8247EF1583BC1A0364249,SHA256=9081A0AACA3F9E4FE1F7DBAAA99F8AAC053DD8FC87B923A41667E4CE67DE48BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:05.137{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-470.attackrange.local3389ms-wbt-serverfalse146.88.240.4www.arbor-observatory.com59195- 23542300x800000000000000084290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.044{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-066MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:07.871{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A24B59638B7AB4776976C570962263F,SHA256=75D7D0EE2706174DA1C340B113F7F03A9752D8800EEF63EEC3F0FA985C4710F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:07.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B513DC8D0F235D3A31537A182362689,SHA256=41A4FDC587EAD7B7281ED9EA02CC890BC351184AABA0161AC0DF61FDFDE9B46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:07.044{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:06.227{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15-49467- 23542300x8000000000000000103130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:08.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BACBDE3ADDC522EB11D72F34F965C9,SHA256=924A88BB27DE52FC5078AFEA5870C145B724FD18DC8BB483C37080B27E6AFF2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.196{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-470.attackrange.local49467-false10.0.1.14-53domain 354300x800000000000000084295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.193{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8b0:1728:c90:ffff-49467-truea00:10e:0:0:0:0:0:0-53domain 354300x8000000000000000103133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:07.708{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56049-false10.0.1.12-8000- 23542300x8000000000000000103132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:09.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B936D61B32FAD5AC4628FBDE203F0326,SHA256=DC318D68073B12F2C5BE8E0F557EC18C43147AB51ACEEEA7F67BC8F6D57D5F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:09.605{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:09.058{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6A76E439D3BE60A3BFE579F641E961,SHA256=32C985516976AD73EC98CCAE95755F8CCB331EB7EEC5C6893C77A01807454016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:10.215{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504ACD1CB1AEC9467D44A7A19EB7C2D5,SHA256=696620FDD733CCBB1B6629B6C5D1B4404DE9B72884B83C3148B0FFB8C6BA3353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:10.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF197B5D34446242DA79A6C0F2B990B3,SHA256=AC55BEED51534904C29DBDCED8E30EC8B8B5185FEFC78E55F0C0F74AF83B6862,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.785{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50560-false10.0.1.12-8000- 23542300x800000000000000084302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:11.262{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D373A3B4F35C00FBF166353F156230,SHA256=68264A9452DAB94F6AEB0AC52D41230B3DAF9759B648BFCA5215F73AE4EA0504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:11.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5FC1105AB39256E707BD6523397A8D,SHA256=5194696130AB3C1AC382C57F4DC65C94BFB8540AB6CDC2A8283D27E92B6FEDC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:09.147{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50561-false10.0.1.12-8089- 23542300x8000000000000000103136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:12.470{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7AA2302606D42450D40167497894E1,SHA256=B77283DD8B06F67B2913C51137F39BD950B48F7E071A099E2372A0072A1139A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:12.355{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B1CA97335FF5ADE59B62304D71C2B8,SHA256=A35CFDFCB7270129CC444DC1C4D3B56CB53942AE1DD62BA22C808FDC9F0584F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:13.471{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB8B455E7A8719A74D90D7BFAC949A2,SHA256=5EB3D3A54DE686D6C7C927D0BBBFFBB40DC647E1490AB97DF67241CA19B0BF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:13.371{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F08D941AA7D05A0D36F9BC23800E4E,SHA256=8669BA920CEC4720025C22D4013A3831F1FE47F02D6169F5CCCC396B182D588E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:14.689{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2163C291A206AD72DE8B040A7F5E7B7E,SHA256=F0E9EBE337D5A1203EEB0ABA44C57E5BEACFF599E660948FCA87E176ABBBA563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:14.386{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2E655C56641FD743449A5A5B01F130,SHA256=5A4BE7E3B0C1AB85C1C12CA19468361ADC618828254551D2DCDAC0E7C0B318E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:12.787{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50562-false10.0.1.12-8000- 23542300x800000000000000084306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:15.402{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757184EA0E63680976DF42F01D1844DC,SHA256=D7C806BC57FB1F8E2B31790D8A3BC719C43C013DBC14FD99AA6F88EEBDB70C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:15.705{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3A1042F01ADC0F0977129805E3C99,SHA256=061BADD9A182D43756E1395D62A1538418AAC602B591F1B6E7BB744E5C397F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:13.552{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56050-false10.0.1.12-8000- 23542300x800000000000000084308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:16.417{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191570FA8924379DA081B61039B4548F,SHA256=1111ED3E79FB14407C034F92DBADE4ADD74B7F89D81FCF2EC87F37B6B421814B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:16.706{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18112EB5587AEF5D8531A313414B90C4,SHA256=9AC4A1FDE00F2EEB95CED7AEB1B936E2AE49042E91ED3A4AED2B93BBA44ED525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:17.722{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4D2E9C20F0793FBBC17B4D996DBEE1,SHA256=3668A77F6008E4C2DA531CDB2D04C953FDFF842A90F397EAF6E56177BFEC6D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:17.432{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81897E23C02C8A54A44A91ED852E982E,SHA256=CD6892EBA559481BF19ADD4818F87C2F2B8E0F1078028C27E5446C5A508F95F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:18.753{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F39EBAB74844915C837CC379B64F9F6,SHA256=6FF32CD709CAD307EDADAD6D0CAE104AC4F643423444CAA847896717FAABE075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:18.448{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C89A27FD4FFDA834E8C80DA13E25D5F,SHA256=BD41902611F4FCFA0281291CA141B40773508310A95E1DBA7CBEF8992B435FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:19.769{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDED61C728CA8E75541EFB01F9105C2,SHA256=6CF53CB28B0627530D2B05FDD950C1408F196AB487FBCA02B29289B0A09C3A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:19.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916A5CA4BF28C59C0AAC1A6D5548292C,SHA256=8D1816C6E6B6CAB8E6A368D2518A2B9DF47A531410C1FC08B397CE6BAF5FB854,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084313Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:18.739{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50563-false10.0.1.12-8000- 23542300x800000000000000084312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:20.479{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0301CA9310ADDC765D78F037BEA096D5,SHA256=DD64679DF629E63CA6D6CD3BD2BCDA6E933A40ADE995F10CBF52EDB6C47008E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:20.616{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-066MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084314Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:21.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B6B070F3EE08830F7858E826EA2504,SHA256=9B33BCDAA799C20CEE5BDFA2491926EDA7D7E0AB0643D8447B0C851F9F32724E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:18.663{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56051-false10.0.1.12-8000- 23542300x8000000000000000103147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:21.630{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:21.004{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA5EEC074654C649A7D6BAC60B58443,SHA256=6BFF04CCF8723574AE1BCC44A4FBE013649600AAEAEA2F3AC2243362F3BC0CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084315Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:22.510{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BFF20F062D325EB65996F5FFE930D2,SHA256=72625155D2359470772584869F135A9195A80F62D5840C3B7A2249E9319989CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:22.019{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFD0646AA49A5FFDE9FE3E9BF574188,SHA256=E9CE04D425B9668304EE8C157A02B5BF04D5F7BC6738872622BA8D12797F61F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084317Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:23.526{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0D2DC4D6166D2D1B9042B1E64FF9D6,SHA256=E41C800EF469C02A9FE8D68316986DF0F243F7DEFC5DCF3B28A74623E3D22948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:23.053{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432310DCFA97494B0FE0AF730680D3A5,SHA256=1B601B1BDAEADB35D0ECBCD4EB61E94D22E5D4C356A8C2FD5BBEE72FC2C0C3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084316Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:23.104{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3E651E1E5867BDD1259C673803B70F88,SHA256=4B79577D8ED88996FC9E8D4CF0BDD89F66ADB8713B56791F4894DC58682B3EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084318Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:24.542{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D4E58FC05F17FC0E6A8DDF73E4865F,SHA256=403CF89503AE585F7095E17E26D90754932070199EB8A7FDBAB5F5CFA25EBD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:24.085{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC05E59920E15F27937ECF04DD0445C3,SHA256=36509A10097D0FA07C0B708A1F0049F86BC819E4DC02F78F0317DE4FE19E6830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084319Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:25.557{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2797F3AA4F26CAEB9E4CE950F69232,SHA256=6E84D5E02986D7E2D71F65191450301776D2926B8BA1FC7425ED641F5D314B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:25.210{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:25.210{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5599FA70A09B21458E3BFD74C2A186,SHA256=2781E65C939DF119D247CE905267996A3772ACD0CEE45B8052A15BBC898CDF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:25.131{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ADA0D3C8B6D621F55DE11A3976351BA0,SHA256=5726E11617AC35432AB34078C7AE9A4ABDCF2802530C631A7943CA57C7AE5E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084320Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:26.573{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9AC094041FD6A152D14FFC17DA92DD,SHA256=7BBB7EE84A34CE0E9200590C1B86763E503458CC4B7E347FA7215319F829F747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:26.303{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD3EF036E8194827EC3A822A214518,SHA256=D9A1CA15488E2113A6F3804DC834BC99CE20F63E6F569D89D90875FB510B16C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084322Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:24.754{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50564-false10.0.1.12-8000- 23542300x800000000000000084321Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:27.588{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1F29441CFB0ED58E0CAD926E65A72A,SHA256=E833BE1ED986C7EDFB131AF7694E86B97ED84D8A81EB8AC26845204CFDB9E352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:27.366{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C9609B8BBFC346AF36482A751A8A67,SHA256=63917E4F664A4F3DEAFAC25CFEA68B45546E5D900A3EB2780F6E8E24A9C51799,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:24.682{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56053-false10.0.1.12-8089- 354300x8000000000000000103156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:24.589{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56052-false10.0.1.12-8000- 23542300x800000000000000084323Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:28.604{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7606AAB96FF98456FCCF2ABFF92BA7B6,SHA256=6EB8EBDAAA11E440A45E274EAE3CFC5A655A4DCDFACDDD0265D3E1DD09510815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:28.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0352AAEE5FFA835DEDFCC650028317,SHA256=6786C600A554A7ABB0AC2B1B94B6DD70B7EBEA7FB66210A434BCD23E53B72212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084324Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:29.620{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CF41AD8AE7A02ED7928F9B7DFC2CCC,SHA256=F5A58D410A28AFFB1A719FBCA743AA58F34D7B648B54F0B7D140A5CA220B1ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:29.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169A26FE93E192E82096BB0BECEE06A1,SHA256=C4E7CF6E47A71590039DC1E66EDE62505D7DE5E147640A2B1A96717A1701F1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084325Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:30.635{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF3774BCFAD8BF62BE6CB1413759053,SHA256=62A294BA3154E5DC092A2EC3057EDD1183DD380C206611E2CE9F66C85FD8313F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:30.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696DEDE8A028265414455F50869F082B,SHA256=132B3CB8B98D0109ED3F85404FABEEA9829CAFA7264BAAF3C885E3E2FEF2CF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084326Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:31.651{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF0E84AC118D6131B99028D441F1633,SHA256=06C5440B48E473CF2484A58D804DCC0A165E0109F19B5418FD0F6594404A2398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:31.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA5650E650617C974E239ECDF1382F,SHA256=5700DAF8449F4E40C410EEB74B7CF44EF7630F4112F937E52E88E43B953D89A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084327Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:32.666{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C57D24ED2F2F73D4FB0DFBE39F9312F,SHA256=478326713B4AFEB0404E1D662C705C10EDB116EDEF0E775B0C9B4C817B325BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:32.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAC8532AF8F4FC68E3695D234B68AC7,SHA256=0596598C1F031FBEA0E2F51554599BFF6F06AF2AD99B0C9DC1A4068536DC51D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:29.729{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56054-false10.0.1.12-8000- 23542300x800000000000000084342Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.682{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2427D2A242D3CEA9885C8CDB7A0A7197,SHA256=CB5B722A81A392CC0ABE3C74BC20ED093F57830F06E3BC3205008F32DF1E8894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:33.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9286DADE15D9A7333FE1207F79F24589,SHA256=CED8D2F832340C02511755A434C850FE04547001DA1F1E61E861EC14968778C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084341Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084340Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084339Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084338Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084337Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084336Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084335Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084334Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084333Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084332Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084331Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084330Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084329Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084328Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:30.801{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50565-false10.0.1.12-8000- 10341000x800000000000000084358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084357Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084356Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084355Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084354Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084353Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084352Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084351Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084350Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084349Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084348Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084347Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084346Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.761{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084345Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.698{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CF5C6B6F937E21F715418741CB5A57,SHA256=D6517B08D198D4127B30EEAB064D6893314F119C612E14072459A1312020CB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:34.429{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0CD55F0A2568537DF0C0FAA1A7C59C,SHA256=E58D6C591D5AB765A3866D235E67F19DC22762063FA98B95DAFE7C346BD4A3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084344Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.494{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6D0AD2F39B4256C617AE280416B42D3,SHA256=4F7DCA1D2B2387C1AC1295A32D896A55C7DA3364AC42DA9DF7BB3554F16A726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084343Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.494{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D41CD91A1E84BA080E43A72F3DFAC66,SHA256=367DB1C280FA7B2D7C9467A58ACABE8D501C4505A4A5EE8D67995E34E997BFD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.890{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1180870E6C8DFBDFA4BCBF310325E7,SHA256=97FAE9DC51A8BB72FD27ADB1C90430127E2F0584D14A6582023FBC7C10064A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.890{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6D0AD2F39B4256C617AE280416B42D3,SHA256=4F7DCA1D2B2387C1AC1295A32D896A55C7DA3364AC42DA9DF7BB3554F16A726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:35.444{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7D0BA78B5CC6D84C830B8E78F9D11F,SHA256=33881605310BD3240659132BA347DE952BA2D8A21EFB0CD1CCD21B8BE742F7E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.277{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.041{6F8252D3-CF72-616F-7B02-000000000602}33002928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:36.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FDBE6F714C817771A5037ADFE6C33A,SHA256=998D483ADD27D5351602719A185DB08B4E7E63A876561A9E875ECD356D2111CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:37.539{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5712CA443C9F4962D8344ED18487094C,SHA256=1FA3145E7FA64A959A2B1ECDBFFDB70A22AE77E02FF488D228A6A9EF13261B5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.687{6F8252D3-CF75-616F-7E02-000000000602}39642792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.500{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.218{6F8252D3-CF75-616F-7D02-000000000602}1324956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.031{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF75AF93C6C83DED35BE18FC80634199,SHA256=44BAA8A5752BBB3258B1F5F49865F25D7B187743DB493D6356B94984A3215212,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.000{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:38.540{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAF294D2FB6583BF7BD4B681CDEE3CA,SHA256=4544C83C66574403F2AB2C136E6EE5656A0EDA7EBB109BCD43682D1690DB95E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.374{6F8252D3-CF76-616F-7F02-000000000602}28963592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.234{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5C2B4BDD6670F1E264D81ABFC7DAAF7,SHA256=B0F33B2F6304189AA4DD6FC87BC48664DBEDA8C3CB217E2D5B536A451E203EA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.172{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.046{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE0D79DA1BD0A85E9649FD8B5BD8070,SHA256=23F5226C6A6F6CA75E6C33C53B31ABD05927E3C3C6363C3B5635238D24DEF7E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:35.590{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56055-false10.0.1.12-8000- 23542300x8000000000000000103172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:39.540{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E603440E2D12933ED0CFCBB0B5F946E6,SHA256=B9809B080CD0D5EB69A05C1678993B0EB0D8C2644FC0D72B5D7F52484327CF9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.759{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50566-false10.0.1.12-8000- 10341000x800000000000000084433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.625{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.140{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4901E3A6D104467E22EBE1519EE3DC05,SHA256=2F2BC46D37DFF6BD528A976099CE3C9E0D5B9D6DE0B33BC0CB93467B47F11A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:40.555{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0105187E7C6286F9C8413A041785DF,SHA256=FC89383F8C350787B65244D86167D9B9F7EA45FCF60686654D4907D0D12C5814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:40.734{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDE29C2986E4BE4FBA085A1C834AE5B3,SHA256=1D92E34C16F5D33A68BB43690D2730B67AEAEF2DF1B86137B58DFC63B5CCF78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:40.265{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A661CD2ED32DF2843177800F75B7ABFC,SHA256=64B00E6317B9910A83F03A1FCF893CA0D382115AE6E441F867426F6D640F03CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:41.571{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE6024F680AAB908EF9F7A2DDED4486,SHA256=39D37DD2A7E46D57701773B6E38700F01EB536A350DC911040762CFB12837074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:41.281{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86A1AF99103DE41F8470F99801DDD60,SHA256=FF7A0EE57D1987000FC663233BB799AE0286B12ACFB7E2F08B934ACD524EEE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:42.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BAF7F906ED76245C873CA3F220E284,SHA256=714EC0D30761F203E0BA7849DA713067BC581567178060A2AFE604062E6A2F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:42.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E9D490378544D5A971C8F1C9308031,SHA256=8AB873BDFEAF1BA8614807477BFB4D4D88A40BFEC5530BADAE46CD35CEDA2912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:43.649{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BC8627A566748A6B8F38EFA12C9CBE,SHA256=CEC72E1D8DE721897527E8C7AC48F0D957917E1FBA78BBCE1CA2D3CEFB7E9D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:43.593{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACE1EEFE2AC2B01FACC9621550067F0,SHA256=663052F8640A3AA355171A5E253F61438E418C016AC96F08A32327E92733C125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:40.653{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56056-false10.0.1.12-8000- 23542300x8000000000000000103178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:44.665{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2D0CF5AC79DE97056D4375569E7F23,SHA256=2A21631C70E82EB6563D6F4E7F1EBA010F4CE282B7CB22A5CFCCD0167C990F6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:42.728{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50567-false10.0.1.12-8000- 23542300x800000000000000084440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:44.624{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFF1E61EA1C933AB08557B52B0C4346,SHA256=365E8714FC4D6CE92180CEF8FD3B36B3EF9EF4F9C0958213A103DD82E26DC145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:45.883{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAF01E0ABACF3E9632424286AF788F4,SHA256=000F2AC873D456C5EA4DFF6483103FB2F4B991950852D2369032C6BEAF4163C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:45.702{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801FBE9A8F96B5EE95CF789F31C377EE,SHA256=8A15BF4CA9320F67D5571791D84B3E9FE82F982141637F6DDC72A100B835183F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:46.946{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9CEDAF014512C2E76119A04650BD0F,SHA256=8CE0B4ED54A5ACB154BFB8853339487AA90CEA4A88AB3AC844F103F545B4AEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:46.718{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E53D09B8010E93E770A99C8DD9806A,SHA256=D39C7C60B8C5105C2B479F723702E2FC99B1A9020E53B3C3BFA83C9B8C864E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:47.946{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDECA63008826C7D5B80B8158B11954,SHA256=0B34201ED1FEAC79B246DD944E615DCBCE411339A216306C70D668C4A2EBA28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:47.734{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6853560EB76C7B08220188E3C8817FD,SHA256=19A6BFF35E6ADB1EFC1E47EF47FE53E893D269034A3CEF132428AF1B402F7FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:48.977{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCC4C4531F4BF7F01C413048DFDD969,SHA256=CE1DD7E9079343A25819C0D5E11306DA2A1D438EC1CCF70F3D1A75B0AD078DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:48.749{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66687CDE6518AB6E0A484BC4702EB27A,SHA256=29B1AF53311DC139B735DDB2EB2D946A35AD81F055D525181A5F1E9D2CE65F5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:46.653{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56057-false10.0.1.12-8000- 23542300x800000000000000084446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:49.765{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34C380122C4EE6D918DC64E75EB7201,SHA256=9968F6C656CD34FE0728CCDF5AA9A41EA46E9CFAF41BB80E6747DE926EDC3D05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.822{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:50.780{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB5967FDEFC6D482B43322D4C4C622A,SHA256=D3AA53F6C6222459429F18E0D3EB718549B171494040C7C1ECB669A45B138C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.852{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9BA60BAB78DD3AA042F7227C3B1D4D1,SHA256=608683348F1EB0F84E820DF060244E5D28A2375D60140A51CE9E3A8DE799AFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.852{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79DF2B1D7D5265BA0BA5C5C085EE24ED,SHA256=10492487A62947C7580256DFC74D4487BDA2BD23D50331747F2CDEBF678BDE53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.822{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.322{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.055{8D4DD44E-CF81-616F-AA02-000000000502}13045076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.993{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107433F02BDA0417D202E763EB209847,SHA256=B66ACB1CE8385341E55EDBB0DC4D033CF2159F05D3DD7D1FB63E9A04DD2FBE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:51.921{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A22F8FCEBCCDF1AABE8A85CDA8E3920,SHA256=828444B3DCD6A93225E10C425B2EC7B46E85FFB8F81457992CBC5DE4293EC789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:51.321{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7083BFFC834C22033C75E4D397BF715,SHA256=B66B619B7F03FE81B089B78F2D86F3F42A27AAAC26DF4A2A2C716129387D8B58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:48.759{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50568-false10.0.1.12-8000- 23542300x800000000000000084450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:52.921{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C2C88099182A6E05591B3AB238C74B,SHA256=F9ECEB972FBF37B75016D22E2E99BC565CA8EE2A96B4452AFE135DB462721B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.978{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.466{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56058-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000103230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.466{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56058-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000103229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.383{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3480EFD8979419B68FD163C7C0C0A7AA,SHA256=10A6462E0F68E9C3B97B0C30E69293124B1914406A6407F55673A6753666D2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.087{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9BA60BAB78DD3AA042F7227C3B1D4D1,SHA256=608683348F1EB0F84E820DF060244E5D28A2375D60140A51CE9E3A8DE799AFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:53.922{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FCCE0202A1F78CB3DD3A4CD1DCD40D,SHA256=FBECE7629D69042FA2BB688AE54E25BB9488899A6AA5BD8C34A54B5B8729E354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.665{8D4DD44E-CF85-616F-AE02-000000000502}27121896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.478{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.415{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A99F15DE4BF110037F343FFC9E72619,SHA256=440DC61C096160457D8DCC0E3A1B1C0B1C1F90DA925854B9EEF7F297A9C62D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.196{8D4DD44E-CF84-616F-AD02-000000000502}1516516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:54.922{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8327B48161C147904C8E01717765EAC2,SHA256=0B425F55C9ED1694BE305814A5966D6A0A44FF6E6DBDA8772236C35DAA68E688,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.576{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56059-false10.0.1.12-8000- 23542300x8000000000000000103276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46B780D2C108106F3712D02771ECE76,SHA256=FAF4D37FDD835FA4C79D97EDC4A011C03C8ADB5704DD32B7222512A700A119F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.399{8D4DD44E-CF86-616F-AF02-000000000502}44841344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.196{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9258F415679DD0C0805A7261C6E56F91,SHA256=0FB9F735E0F3EA0278ED21E9BC1453DA349AF5D8F46C9DA01247E31E2DE48DE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.150{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:55.926{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03977F44983909A21B4AC0D05B286465,SHA256=844FE844A0FB3C1C4341F938C39C113FF9C641BD961E98D5CB1F3CE0D368AC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEB1C37D92FAAD9D08A933E1381C250,SHA256=777007F5C066C898A1DA4229E31124BC57852960177332ADE46553ADF09E07EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.400{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:56.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AD645966ED31D8074F37979D79C65D,SHA256=086929848C204608E86CDEA6DB680839BA20C2658DD2AF2AB6BDF6EF73E9485B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:56.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFCF2A720BE20D5512201661AF2EDEDF,SHA256=8BAF1A5E117C17250358E2507DADC94DA02C61FDC55F58876449E96286A8AE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:56.451{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527B468DBCD6A619064FA810BA26A264,SHA256=39761573BFF9769EA72DA6E52731979C44DADB750675ABC1CD03A7357A90AD72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:54.666{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50569-false10.0.1.12-8000- 23542300x800000000000000084456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:57.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF45B1C3D5937168EC41F281B160A41,SHA256=4B820A91258E506A76376A02AFCA4843381E038FF1A9EA9A92B1680EAAE8C498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:57.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397563404E3C64D72E050C67078BED92,SHA256=A25CF8E4B26FCBE374AF9E94FE4EB87E1C3D626813EF5F84DAE77EC94E181725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:58.928{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA1C68D399093FB3504FB4D1E1582D0,SHA256=63A346BF1CF1714404E747F4609408E06E4B1F9ACFC2043778000036797821AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:58.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14121481C8969D8696AB611A2BA6C7EE,SHA256=BBBC95152B529089EA821A8BBB6513222EA4D39BCE4D63963BFE1EB5F1A364DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:59.928{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B720DA3CB1AEC9DADC8832EAEA26928,SHA256=CA38A79FE31DF5C48D2D3A8937A104F257088187E0200EBB38978DB84E7D022C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:57.705{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56060-false10.0.1.12-8000- 23542300x8000000000000000103296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:59.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F24A37F21A47BEF1E1FF8A6AA0DF13,SHA256=DBB6241E0AC72157B19088A6CBF7CFAE69F508536377D8C332DB5BCC48D6D32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:00.929{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A8865F10B52749C86CFB8D4EBD607A,SHA256=0C92F394598B9FF213395F8AE6133F916018E847F846F38BC71741AF6F440F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:00.498{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A493C8182CE778998DA52419E7AC45BD,SHA256=781313A4777F007DEEDFD5D53A5D48E9D071F5018EB3024BD8F4BF2B5E055833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:01.929{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953249D87D9CD001EA20A351B7A76054,SHA256=6B3E6E63AE1C3A6DD3E60AABC7DC3BB77D111823668D12DBA86C210AF1EB80BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:01.545{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A663898B47F7E6BBFE39042F4576D7CC,SHA256=C900830F42D87953038E9B288A9064CDEA9E6DDE7799D8806BDA7F2791838484,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:59.704{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50570-false10.0.1.12-8000- 23542300x800000000000000084462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:02.930{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309C7DAD69E6540351706625DA735966,SHA256=6EE3A81B2886884716CF5ED46354B42813DA193B6241748CBAB1BF220C2BA14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:02.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DDFBAEC3D50D8C00A888698F5AA0CD,SHA256=37F7D8C90632D5FFD2B7FF90955278C3FBF7BB1933B341F9A11CE4C0AD81B50A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:03.930{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BACE75B576BDEFE58FEFB0DE90B38E0,SHA256=2169775DCAE843E718A9922799DEDB2E5E22D81EDA746FD6F007F946889D74DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:03.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DFE3AA31D4F051DDF271228B3ECDA8,SHA256=FCDFC8E46649F4E0901752524B6491DF6B1E9E81C099F8F0537818CCFA3A6E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:04.931{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1C19DCFBCF7BE1CBEA45C749B87E25,SHA256=E5F2003F36EBA14303495174FB88906D4F0170377FF7833B2AE57CCDE29FB33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:04.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B06A2F9E0ECBD651E51C95B143F97FC,SHA256=36A1D177537BDCCA9F83C24066F74E90500B03F301D1C09C588641D2C1CE3715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:05.931{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A0B1CB7AD71C5A10DD31DEEB7CE2CE,SHA256=8BF75F6DBF1BA9221A74F8AC91B9D220DE8A1AD428400C10FAEA91D3781E3282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:05.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FE5181CA0362E5627DE0D1A9083647,SHA256=C188697E7CF6F0EE7F246300E423B6F81A89ECE4C8C2A3761CBFAFD367C4178C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:06.932{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918327BE8C803088EF01CCBEA78884A0,SHA256=A65F78D6E5486E81060E18F60DC7ACEA8E6FA968B651E73589FAD87A185ADF31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:06.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEBBD5C4C14DB9270F42948F5867BA2,SHA256=F5356CB315EE4C1B3C491E5413CB53CABBCEC1403CF8CE537F07016660D25B62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:03.549{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56061-false10.0.1.12-8000- 354300x800000000000000084469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:05.644{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50571-false10.0.1.12-8000- 23542300x800000000000000084468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:07.934{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19203E805C26BB4E881D1415642E6E89,SHA256=B0239838256C6C43EC1FC9B95AA6FF96EA326CAB6DBDAD31FBAFEFC77309F063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:07.607{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AC2983FA5868F0C3502C10E9145157,SHA256=78DE57FED4191CAD4DE676DB57EF2C4C3F566DBC2D667887D3A10139F8AA9BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:07.561{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-067MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:08.937{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41580FA94F506BD682589615D5CAB1C,SHA256=966ADADDF8E5400A8EF7FFF70F165FB9BED2F1CEC1D94537E88754D06463CEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:08.607{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6661ACB05E14A6E43EA77CD48037F6B8,SHA256=293F63A060A682D40E696E0B2F06AE65D5BC736377D11488A3C7C459AC1DBCF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:08.561{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:09.940{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A92A4FAFF0D54C8B0BD00D1FE52641,SHA256=6E28A957967F5B0C0842851E08D72E82CB8A75C1EF9E87C0E55AB9BEA8C631A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:09.623{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC0E80599228B4AF9D78BB7C58C703,SHA256=5EF00B0DAB72501848A16AE94B8567805E5232A9CC81420DE6D187FA5AE651CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:09.627{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:10.940{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63457CFD6624F0BE5B5C5522FE8FE20F,SHA256=81518E58C6357767C408062F4309E7EEE279A9B83DA24C2A59FDF36C93430FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:10.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EFB0DC8A3EC96A12BD0BF8B4A3B5E8,SHA256=396C526FA068F57D5489CAEA48031372E42C0E4F34EF3E42C77D34B8738361F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:11.941{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9918490138A0C251CD2C3138BB959722,SHA256=F801CF23AAB329AAA84FFF18D881C3B4AEA711137EB24E81901E666E041D8B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:11.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B569293EC3A452BB83DD570C6453AF13,SHA256=E668571DC87CE48FAEFB110EB21B9CD6EE479E0889B7E4820614F79E4BB082CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:09.168{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50572-false10.0.1.12-8089- 354300x8000000000000000103310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:08.659{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56062-false10.0.1.12-8000- 23542300x800000000000000084477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:12.941{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7588F4356259523E104E492EEDA26ABD,SHA256=6BE45413C55D8DFEB4A3EBE65DE081B89B1372B94A0B1F614F97B8E102D9DFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:12.748{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D47160D81B4EB8218CACA2D1E49632,SHA256=365CF7A8AF8069DAD9E61458B9FDCCD252548B429218CAA090E174E39749D469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:13.763{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A569DF6E1C85AE2376084C27AF26D676,SHA256=F546EC88BA17E0058423206EC56158A66482C362499AA5701F3C7815EF78DAA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:10.653{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50573-false10.0.1.12-8000- 23542300x8000000000000000103314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:14.826{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227D33EB8B48101EF45D23ED74B62806,SHA256=7BB8FB4AA97A06AF59029C1668C2FEFBED47C706F7BB0AF8AAF4B50076597EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:14.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F103B7B94024B11859D72AFA0B98A0EE,SHA256=50AFD0C0891650DB0C67345ACF597B7A897ECE57F7BE3101149E308B9E89DA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:15.842{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987D1B53658B1A6C44F20E7821C247A8,SHA256=15A55CC50500BE2BCC3F2AECDFF46FE7C0AAAA3D02A149960B1BBA1BA4636F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:15.098{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56914DA94A0B8C6E14A9755D0B92AD23,SHA256=B079C254515FD10825D8311457A464EF52CD9E4EA94FA76E9069BFD733BF7566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:16.866{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F138A5D25114F6DC79994767C2473A,SHA256=F2D9C7653E9386C2AEDE76F96F685825909BD720FCCF13C110458AFD9018C128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:16.139{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52DCA377D527B0D6F85A96ACDD82F9D,SHA256=A16645284184E24DFE2FAB0BAC11CC6F7B6CE4BAAA1FF79C458CF874A6541828,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:14.566{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56063-false10.0.1.12-8000- 23542300x8000000000000000103318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:17.866{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BB71A7EA6A431E5C4BF1A71B438211,SHA256=8BB69A4590CB8A5F87D6875F219DA4730747FF11E80372BA4A64AFD11CB83538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:17.357{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44D190B203C1683755E7641D9048C57,SHA256=345156C9AF097B4CB5BB8828DAA1007DCC20F1522EA24E9328E0B9ED74326F0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:15.773{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50574-false10.0.1.12-8000- 23542300x800000000000000084483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:18.357{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F538ED0CD0135C452D0A4B3B61A49F2F,SHA256=57DE03FEC893C686962A8B1BEDAD01CED9A03CD799A563A67A64C75075FE306C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:19.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30532232AE2ADA6C29212355029EB36C,SHA256=8046017B04934C7B601F943FE1FA179AFB1EBC87500187C491AD641E508DA03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:19.257{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359C4EE46D3BB9382DBA4C7051184348,SHA256=23D1AA70131753D357DA06C6B14F3A1A40EBE5A7EE56627D3C56328741A30291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:20.404{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879FAB65C82A0BCF03B49F7EE1E6647B,SHA256=3B70E269A28C7593B6AFC97223EB5F795376137C9438EFAE9BA3655F6716F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:20.257{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4089CF862E295C3D0BE3DB209FE142,SHA256=ED9DA7ED942786B185F4A27040C5D726E1160E47DB15E8719CDBD6C73FB823B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:21.420{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DA58C311E18CF66106C025BC7B1669,SHA256=B074AE991739AF4F36AEC463D85D8D8D16A1F2C33FE91BD2306ABE719373F500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:21.273{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC604C3A531A5D8C1CEDBCE75316029,SHA256=DD4C6B9B3C50A599F76175D447CA450EE9F537394F94309694E9942E458D7544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:22.435{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C98D6E722809FFB5D86816D622D1F7,SHA256=059E45E85421F248817EAF3C5C1E65E46B80E1021BD32F5830D14B7ADC436B19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:19.669{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56064-false10.0.1.12-8000- 10341000x8000000000000000103353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:22.442{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000103352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:22.332{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDC00E12C659D8BF28AA9756733A314,SHA256=62EA77D4A8A740A69C36ACF4FFAE63BA0E263BC7D0AC7AB624B88607C0B282D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:22.153{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-067MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:21.711{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50575-false10.0.1.12-8000- 23542300x800000000000000084490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:23.467{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678CDA5636850977DD6A5A685735214E,SHA256=46F1EDAA1455E928175B4843614AC768939BBFA7AA71E82E444CD387421E3EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1B0053410D56EB0F8CBE0559C249CB,SHA256=F755C8A897FD7ECE0A31C4267A09B220F599E800CAA642695E9F9E1A9AD9AB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7128F56D2044A9685D473BBB8E116C05,SHA256=6373653E2A775EC823B05776881F3EFEA02731B4FCCAA57C279007A6EC799BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.362{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92EE1DCFE0E51F8B08C12754031BCFA,SHA256=9206BE708EAF0621781090BCA4E78CC279422D24E88214DF8D687157DEDC74D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:23.107{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8FE8509AA4E90DA0A8FABA2776ACDC74,SHA256=7625C2594B23DAC2A187EF66ADC9356CDE041CEC84B72E2B4B213E8AF57C7512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.162{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:24.498{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7888E241B7B61114053DFB964D85B1,SHA256=63C4DD28B41EA2F3EA8192436B95056AEE9BC2C895239189FF17447E9355AAE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.709{8D4DD44E-BF3C-616F-1600-000000000502}12922976C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.709{8D4DD44E-BF3C-616F-1600-000000000502}12922976C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000103361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:21.932{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000103360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:21.932{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x8000000000000000103359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B89E01C74EB4EFF9D7AFA00817FE238,SHA256=22CE9B01954A3A24F514E1378671EB7D8630A493A76459ACA236E32C8C8B41B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:25.515{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99C5C061F58845A7577553C6B0C31A6,SHA256=11E4EC64FF50D6597B312C67D4BDC3E7531649C4911119CD23D86E86A8D69F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458DEB02C9063CD1E98174E1DE309F5F,SHA256=7254F08EEBEF26DEDFF33B390521558F7B0F9ADBD0B1E670AE493D220F9EC646,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000084502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000084501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040bf60) 13241300x800000000000000084500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf89ced17) 13241300x800000000000000084499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5a615517) 13241300x800000000000000084498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbc25bd17) 13241300x800000000000000084497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000084496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040bf60) 13241300x800000000000000084495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf89ced17) 13241300x800000000000000084494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5a615517) 13241300x800000000000000084493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbc25bd17) 23542300x8000000000000000103365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.225{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.131{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=787F223B8210F21DEDFBF88B345084DB,SHA256=424DD781ED54FD7FCA05F8CDC85182F8E38E75E314B10E652BA3E16EF9991309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:26.546{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8939EBE1BC2827053E7B4D664BEA6CE,SHA256=50DD255C816ACC005B3178D2667F0725D1562D9BE0A8E78050FD66B47D0EF7FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.699{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56066-false10.0.1.12-8089- 23542300x8000000000000000103377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:26.459{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4992A682319AC66939F48E7E5C354A2B,SHA256=91BE68CE401BCF5CCE8137B9A24ACE62C82E9BF2944B0E98B7DBEF67A4209EDF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040d78c) 13241300x8000000000000000103374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf9745453) 13241300x8000000000000000103373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5b38bc53) 13241300x8000000000000000103372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbcfd2453) 13241300x8000000000000000103371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040d78c) 13241300x8000000000000000103369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf9745453) 13241300x8000000000000000103368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5b38bc53) 13241300x8000000000000000103367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbcfd2453) 23542300x800000000000000084505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:27.593{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008B292ECC1F72E05521DA4DD697B175,SHA256=FA6F4BB6E48516209B517F31BC7B74941469602B8948BBEC8DDA6EA7DF382ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.542{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56067-false10.0.1.12-8000- 23542300x8000000000000000103379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:27.475{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827BDDEEAA9FD004B194E5A53094CCE1,SHA256=F42CF49FB076D6BB248D8D914746EFA9F16C009EC986D75982915F162CF85BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:28.828{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5530DD05EF050BF906BAA04C0E634089,SHA256=8D1E5BF4CDA2CFAB958E82D6D13CAFAD3BAA0D9E29171113806801255628BFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:28.475{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D908C602313EB686DBF72D3B1B443ACB,SHA256=D1B204B8317192C2436A921F49351B716CF7B7D9694B30089136F795B147EC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:29.874{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8188E583C358F4E2B6B5B6C11439AA,SHA256=2E8345452DACF405AE87EB62EF446857492A1B9053BA2BB3EF43D6339E18DA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:29.522{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C296B03250FD98A9237F7A7E5B320F,SHA256=B4AF8466B162B7012A5CAD7200BE0B361AA81C0B1CBD1C39BFDB531E7E3DE562,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:26.744{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50576-false10.0.1.12-8000- 23542300x800000000000000084509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:30.937{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0BAFDBB20AE753B015855D501C2A51,SHA256=808B4103F59A49DE3079813C5854836BEDF81A6827306C10366955F8C32F20F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:30.553{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A267834B74349C4708A5672EF21053D,SHA256=30B351EB86A8F5F9CACF9FA48CC82F9ABDB324B45136B7A609E2F57F45017F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:31.569{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428EA82A767A4842F89A5992C2C57482,SHA256=ED6773D1815738C5234337D2B40A95B5AF823005E40C36352FA08CFC7705A763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:32.569{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4AA23A357875AE755E2FAB6DB6347F,SHA256=40167D1586050ADE5DD4048485954F17AC18203104C40937F212D2F14ED6F1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:31.999{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F36DD9E73F5E527E3652449E5D164C,SHA256=954EFC0491EC19F0CBDCB5935F5D34828B96EE3DA3257481DAEA810FDB552299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:33.569{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63940FF54A3057EFC091F81C59F80EC,SHA256=F79E1326B8C68ACC2A807A0F95F1F2441D8FD06E2E05D9ADCED21F3912F06950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.282{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.046{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298EE073D399F747E56FC9A80B9E839C,SHA256=52508AF09F4239C107BE17B29DCCAB52DEFAC2184C487B28F72AC719DB7A95AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:30.589{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56068-false10.0.1.12-8000- 23542300x8000000000000000103390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:34.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0752FBF0A138BE507DB235D89657750,SHA256=639E432185AEC08D3244D86C95D610B4DF286B507643C502D443DF6D35680397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.770{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A13FB968DB390AAA58E7F4E350038C25,SHA256=FB23FF833854B5E0FA6A3588D05DF3745B2C2B4B0CCE8FE5AB4CD6D2345A0DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DDE7B9A5CE281342BE3D57FA5A468A3,SHA256=EE21888B5A22C807777E276685017555EAC3D01B3E7F4879EA32A962F7AB0905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.109{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C091CE467393EF1FB8F9B9A4383DDADC,SHA256=D25832644CF56ACE2F45CD384D9C2711FC846EF56D8B469469A12AA954797689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:34.209{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=184AA9EF3A336910EC82F1D6E59299E2,SHA256=8566410BDB1B0EA978D32A6516B8664B0B4DBD6F4944153EE04F6F8723EDA12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:34.209{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1B0053410D56EB0F8CBE0559C249CB,SHA256=F755C8A897FD7ECE0A31C4267A09B220F599E800CAA642695E9F9E1A9AD9AB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:35.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ADFC9F56F6C5DD189BB512C72C6A3C,SHA256=FCF318726F480613F197660E77A532D0C6025D7742C6E1BF8D8BA0E24BF93DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.812{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A13FB968DB390AAA58E7F4E350038C25,SHA256=FB23FF833854B5E0FA6A3588D05DF3745B2C2B4B0CCE8FE5AB4CD6D2345A0DAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:32.665{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50577-false10.0.1.12-8000- 10341000x800000000000000084555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.266{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.187{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9196CAD8359B7CB6403659D27BBB651,SHA256=934B8AC1307C944C6EE115ED3C7097CC91DF9D21E71248CFFE197161EA6DB4C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.062{6F8252D3-CFAE-616F-8202-000000000602}17004008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:36.605{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A908745D14B4932236110707665F1A,SHA256=D45E942E77E2028D0CC3B81C14AAACD88D6C2D4CCC870C47928DC36875C8606B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:36.190{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCBFC96F1BB2142D142EEDA5662DF7F,SHA256=05F46A977EFC4EE4DC2E0819013D801834E6C0F3993090C9C98FDE0016E396DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:37.605{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0A854970F8C2B6371912CF8FFEDEC2,SHA256=82B512189D8E6E70FFAA3C7737DB248B7E1BBB8512D1EB12DC5C743F87454685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.737{6F8252D3-CFB1-616F-8502-000000000602}3748296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.503{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.221{6F8252D3-CFB1-616F-8402-000000000602}35043184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.205{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C72F5C4D6FA60C42EE397849B7D3CF,SHA256=392C4553A7EFAD80B38B645EF8FFA38CCE6A14A85EEDEE4DBFA40EEA526ACABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.003{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.643{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4723D3C61F70BBBEC04A2E640B9DA3BC,SHA256=62ED2207E52C543FD0877E022B719C31CA9F6361B79F52FE9F7B5D904DE98E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.221{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6225CD400D30735B5E2870D157E426E,SHA256=F99749EDDDDAC9F22D7E870D7C85882939E7400502C1ABEA5DB4478D85826981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:38.668{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E74D8DAE2CC5CB8FA353FA90F623FA,SHA256=F49742C88C2D0CEB33459BD6842A39D00A4D138038CE4A3093AB70E4392C3914,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:35.673{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56069-false10.0.1.12-8000- 10341000x800000000000000084601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.190{6F8252D3-CFB2-616F-8602-000000000602}24762552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.003{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:39.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C933286A3C1EA4EBFAB7A0EBEC9AACC,SHA256=11406443AE3193E2A95CD072CC00BA8FCF0B7488791E14B24D98915B50867952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.762{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50578-false10.0.1.12-8000- 10341000x800000000000000084617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.299{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE4FAE1C0B945898DB8E101E389D3E,SHA256=26A2EB4BE75479F746D852FE1625BBCC35B1D218508BD31639B802ACA6F46668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:40.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510A70AC6B027CB4449D1F4E7A3E923C,SHA256=466285D05E293E949642710928659E867C8B2BF5730AAFB63513C7D3DA6C527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:40.627{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=563D611E5570C27ABEFB3BCEECD9ED57,SHA256=5885207A9BA31D85341BC3603CF10E23132BF37A5A7EE0FC769E4BF8410EACCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:40.315{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513ABFE51717BC2B1E3EFF25BEF7E3BE,SHA256=7B7C82326C853C32F91072E980787BCBBF499829759D49D3F375D775FA8D5445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:41.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87389F3743BB21B36C46E1A72B0C4B1,SHA256=9600AD03C28F37F0BD8E7880C6264EF2CFAAFD3C0FB9E28C83647B818584FD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:41.424{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69122BC4B93CBC0107F827C8B0282AEB,SHA256=32C53B0CCAC9D5FA3FD355D854C20B8E481C329C63A12350C8E02732721A690A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:42.440{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01F34A52383C34AE715B6A4D560E001,SHA256=A5C11DB48196D0EBD03D5B3D938276072FEC8D1E37598E90ADA5C26EDD05DCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:42.731{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC2B98861859D350F463A376097BB1E,SHA256=D15ABB293EA3228D6B0B8C39E788B6B57346C3EB604B605A609C00EB5B85AFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:43.643{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBFC5D4BB47990201283297C9616C36,SHA256=C3788A3D5CD24029A043A9E233E671FFA75B26AD03AE76924CA37114028EE158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:43.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364252C24F8D9B4923259E120D21B4AE,SHA256=B5A0D934B430E04F64CBCAB594300A48DC3BFA6C880851A8A66904522DA828AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:41.565{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56070-false10.0.1.12-8000- 23542300x8000000000000000103402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:44.763{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F788821D00AE8A9D2DD3750CB44E5B3,SHA256=A60608CDA975191A851D2A7E1026E1D32F9F9A0FFE388248ABBBA69BF72C2A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:44.690{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015A035A23E975C8B2F0FD51F46699F3,SHA256=C18084DE2D21DA79D8404CC1DC8098D79ACA133F8F57DDEAE2797D2BB8646588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:45.752{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74928D6E860239B06F52C3123C419DC9,SHA256=A1C923FAF421F40D07A8344D0F91723BF0F990E82589D8B922066B9C273A5FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:46.971{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBB622C2C2F9D434BD1C1BE438D48E,SHA256=9C9630B90E40E7766D516CF77B103B44174A5E0A1CFF14FCEFFE68B957747BF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:43.777{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50579-false10.0.1.12-8000- 23542300x8000000000000000103403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:45.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3026F012D2DB3BB493C219550ACA4B6,SHA256=FE8BEB63A795A1C2D17BF3771B3BD63829BD86AA8F88772B5672AEC008CD86A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:47.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1614C85D1FA906BAEB56F7402355FB74,SHA256=8984BEE380E119FDE5FF2114D518FFA0C9683E38E499D1E7C972E6132C42A07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:48.018{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4288DBC6963D9F1C5FD55AD5BB4B5317,SHA256=4DEBB8ED178919E43B8D190F23FD91FE12DD95F85A5AE2F8260503AF67836D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:48.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C63DBD33271130B54E18962B36732E,SHA256=F6639877A1EAC75E7BEA83BCFB1403E2A641939ADC4D05D382876D9705DDF0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:49.033{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB6BB045DEAC79631F5A68A88B62931,SHA256=5A0BB3059210429CF640EA0B88FD3D99BE2678ADA32B41ED1849DE751928DF72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.826{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:46.706{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56071-false10.0.1.12-8000- 23542300x8000000000000000103406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56086A6535B296311DADAAC20FE0C4D,SHA256=C2D7B02D9EBFBE3493B4A64408DB3188E5DD79B7B2AD1C34866DD5EF1EF3416E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:50.065{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CA74F195F028BF5F84F9CEB0F40F1B,SHA256=F08532288D719DDE5ED2F09651C099075ED0217174695DBF69D987AF7CD127DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.888{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FC9C1E673FD6799A91D9D228EC9084D,SHA256=5A1C84677A2B3F7251FA20DC25FA3204B2532FDD9471B36086EEB41055AF4430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.888{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=184AA9EF3A336910EC82F1D6E59299E2,SHA256=8566410BDB1B0EA978D32A6516B8664B0B4DBD6F4944153EE04F6F8723EDA12E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.326{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.077{8D4DD44E-CFBD-616F-B102-000000000502}24443280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC8F5352560C8F733D6F1013E8A4115,SHA256=F8F8A04C21ACD7E207A6E363B136FFBCA9288368C50984B70BADF093A7DE4635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.325{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A9B0FF7D0E1A4E2B825C763304F40,SHA256=AEF2F899B55BD2556B1C19A656E2CB3C348686DCE7DC5B6BC4CEA611DC41B034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:49.715{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50580-false10.0.1.12-8000- 23542300x800000000000000084631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:51.096{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2410EF930F5F6EB70BED31723F42AE0F,SHA256=200C5D2D67307EC4AE414F0E6B72B8F224B5F6776830328A933C6ED4016AB536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.232{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.967{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD11C66A81CED917523E116C02EABDC,SHA256=0220E99115F1EA7BDC9F1B8DB65C4603B38494150BE29E4DB6A9B77B949F410D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:52.127{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B3EA975F9B0964809C4D0E542998E8,SHA256=855B2F69A6D9B337879D07315C3B6FDFC8E4F09E2D8BFB355DCD42EC0031FB37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.471{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56072-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000103453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.471{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56072-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000103452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.216{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FC9C1E673FD6799A91D9D228EC9084D,SHA256=5A1C84677A2B3F7251FA20DC25FA3204B2532FDD9471B36086EEB41055AF4430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.981{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA23A507A8FAC3E97372E70A80295407,SHA256=C11BB0BC4D52CCBB1330D5467B8EBF88A7A54B14A55726F9DFDD9A4219A3C950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.638{8D4DD44E-CFC1-616F-B502-000000000502}13083888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.638{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4908799220D72D9F4397E7F2233F7C,SHA256=C5582EC0CF0ED99BEA491AC9E305DC3133AF2B797D07610DD8BEC6AE4213C0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:53.252{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C54F0B55716B21BC2799B290556341,SHA256=1A95209E91A6E5AB07B04DAFE8D578AEE754FC4A334615A9FE51EF209E82DDDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.467{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.231{8D4DD44E-CFC0-616F-B402-000000000502}4944520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.856{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F7FF20FEE5E7C6B291A352569D4FA,SHA256=573C5EDC1030645A80DC0B76B56F22AAF9EB7940BBEC8F05F3304FDFB36FBC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:54.283{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5162EB4301D2850DC4C291DD86D2FEB,SHA256=273504634ABE8BCDD3E28C891231E650CA910302FAB69607C3A541EA6FBEC4A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.628{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56073-false10.0.1.12-8000- 10341000x8000000000000000103499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.184{8D4DD44E-CFC2-616F-B602-000000000502}38282724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.872{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39B074982759ED680B4870064CE7840,SHA256=142B8531294802F0B20C28A914F7B15495892A86790C053AEE0910A01B45B7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:55.330{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFB479DC6C8318D2A6B01E4DF72D561,SHA256=17EDDB027E412B9FBA06713D9D767A13213F70B6A98F5CC9E42FC87206476429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.153{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED68200DC82B64F5785BE7938D31D683,SHA256=9CD5E28CE9989037DE05C00C69BCB87F4FFD52FC5CD5C205E851A65A580D165F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:56.938{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811DD926CBB87944630E112AF771DC5,SHA256=ABDFD34EE1AAEB31712D78D0313AC41C68D589B1EEDF250EF0CE462CB1E1225A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:56.351{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1AE8D3F4286A0F1685D7B8BFBB5ACD,SHA256=AB25BAD296E127D383DCA3B9592098DBC043AA00EF026911A610EAA68B74400E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:56.391{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AF330E4826E6DF669B14A59508F980,SHA256=6C21D34D3CA6DE2B0A4B262968E993CA9D0E132BF5A0B10110F03FFDCFD7B306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:57.382{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBE68D3D37DCABCBC6C54E132CD5788,SHA256=1E7CF39BA8B41DA3F30BF9EA0CE3CC1B7950D352E7D43B19AC117AEEEFDC549A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:58.398{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3593605FB314A03B5430DBE0BDBFD4A9,SHA256=F7AB3C7876D9901DF8CF3D96E3B7C2A5BDA994B271F7D1CFCE4D1E104E0EF5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:58.157{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163E9974918192B032E9DA3029503DD9,SHA256=023173DD6A4B7F37A360B0B856110DF5886C2EE255C94622C6E98108F70B5DCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:55.689{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50581-false10.0.1.12-8000- 23542300x800000000000000084641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:59.460{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91248262EE95E6DEC397B25F3BEFE5BF,SHA256=4E2BF040211A1023767BCF6BCC2C049D090783E35BB2A7E7554869CB0E899D76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.969{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1E158C0B7666BDE2B89A5E7F90D8A4,SHA256=EA040102FA05EB396AA4B45C20BD373BE4B81E14897F50D360BCD2A1F8DE6DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D38AEF46C41642D0D2D651B5D9F8122,SHA256=25F892D0C66597CDE2EBE56E061CA38BA49087F2D0ECEECDECA3E41D9C3D27BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D4B537995C0E78C6DF48E0968647F79,SHA256=4CE49F8D1485A229345D38E60F649A796EF88BD504E3B1C94009F868E45867EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.844{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.844{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.844{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.829{8D4DD44E-CFC7-616F-BC02-000000000502}14044136C:\Windows\system32\LogonUI.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.798{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.798{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.782{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.782{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-CFC7-616F-B902-000000000502}19244128C:\Windows\system32\csrss.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-CFC7-616F-BA02-000000000502}43322148C:\Windows\system32\winlogon.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.771{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{8D4DD44E-CFC7-616F-3203-200000000000}0x2003323SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000103617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1c000|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1a4b6|C:\Windows\system32\lsasrv.dll+1ba5f|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.751{8D4DD44E-BF3C-616F-1600-000000000502}12925060C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.735{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-CFC7-616F-B902-000000000502}19242612C:\Windows\system32\csrss.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-CFC7-616F-BA02-000000000502}43324000C:\Windows\system32\winlogon.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.691{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a17855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000103597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000103582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.641{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000103581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.641{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x8000000000000000103580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.641{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 23542300x8000000000000000103579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.579{8D4DD44E-BF3C-616F-1600-000000000502}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.501{8D4DD44E-CFC7-616F-B902-000000000502}19244636C:\Windows\system32\csrss.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000103577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000103574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000103571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.0 13241300x8000000000000000103570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000103567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000103565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000103564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.0 23542300x8000000000000000103563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB797BB352CB301B37E1A92C90E2ECF,SHA256=5F6F9145F4118BC6517328AC907F7E23E11CA44633E69599EDB5C7C5F70A0013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000103548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000103547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000103546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-CFC7-616F-B802-000000000502}41685036C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000103545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.256{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000013c 0000007c 10341000x8000000000000000103544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF1C-616F-0200-000000000502}3082860C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-CFC7-616F-B802-000000000502}41685036C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000103532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.234{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000013c 0000007c 10341000x8000000000000000103531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF1C-616F-0200-000000000502}3082860C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF1C-616F-0200-000000000502}3081664C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000103520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.223{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 0000013c 0000007c C:\Windows\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{8D4DD44E-BF1C-616F-0200-000000000502}308C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x800000000000000084642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:00.492{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7862108C8576A0114FEB78B841FAE8,SHA256=85B214EA27A746F7B494034CA304B48815515E9C2E2C4DA86746DBB880DA2AFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.969{8D4DD44E-BF39-616F-0A00-000000000502}6243356C:\Windows\system32\services.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.969{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8981EEC3B8E3E7A6CD1FDE020DE0D69,SHA256=C688E809C1288240A9FE4072F0277DE6FD9F78B19251098DD1ED0E189E4B0411,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF39-616F-0A00-000000000502}624600C:\Windows\system32\services.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.963{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000103906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.922{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.922{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.922{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.844{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 17141700x8000000000000000103883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:00.844{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.844{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000103881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.829{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73CEBCA7B9A0EF22D854E156D21B562,SHA256=0462E7D94135539C30AD3D39AC4D0C5F0714435D4899D8F95DDF15515744B745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.797{8D4DD44E-C6A0-616F-7F01-000000000502}21603208C:\Windows\system32\csrss.exe{8D4DD44E-BF3B-616F-0C00-000000000502}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.797{8D4DD44E-C6A0-616F-7F01-000000000502}21603208C:\Windows\system32\csrss.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000103878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000103875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 354300x8000000000000000103872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.146{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56076-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000103871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.145{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56076-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000103870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.105{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56075-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x8000000000000000103869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.105{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56075-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 13241300x8000000000000000103868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000103865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000103863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 23542300x8000000000000000103862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D45A4523BFA0F90652CF53497CCE71,SHA256=9E98AF3397318C3C88731B5538157C6D14D1F098D3668077C87E321F276E205A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-C6A3-616F-9001-000000000502}4532ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=9B6F0B9293D2CDAB379606826F1FF36F,SHA256=16160A5E4CABC18988628075B2739FEDD97DDC879DDC9A7B1649E0EFFC0AC088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.735{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.735{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.735{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.722{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{8D4DD44E-BF3B-616F-0C00-000000000502}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000103804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000103791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000103789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000103788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000103787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000103786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 10341000x8000000000000000103785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.610{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.610{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000103783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000103781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000103780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000103778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 23542300x8000000000000000103777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.579{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F8B3D09DCBFEB574484F18BB706B6A,SHA256=260B8D215B1EDF65630197B0BDA29ABADF2AB1ABEC4BC63426137A9E6AD1F8AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:58.553{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56074-false10.0.1.12-8000- 354300x8000000000000000103775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:58.512{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.104.66.206ppp-93-104-66-206.dynamic.mnet-online.de62146-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 10341000x8000000000000000103774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.516{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.516{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1a4b6|C:\Windows\system32\lsasrv.dll+1ba5f|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.454{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.454{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.454{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91622E5DD62BC5798BD3978D99A053A2,SHA256=8637502A6C1FCEA372E65D856AAE1D94F87DBE9BD8248EDBBDA91AD9387138C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF3B-616F-1000-000000000502}1082328C:\Windows\System32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6aab8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91622E5DD62BC5798BD3978D99A053A2,SHA256=8637502A6C1FCEA372E65D856AAE1D94F87DBE9BD8248EDBBDA91AD9387138C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A895116CA8F2E3C47589E3F3EDDFA78A,SHA256=B2BA34F51134E32C886B16861A3C886C523BADBE79B5138F7A9DCCB453E1DC83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-1000-000000000502}1082328C:\Windows\System32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6aab8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824FC19195CB782B035A91817D50F907,SHA256=D2522068F6147CAE9A94B2F2C4D9DF35D74BD702CB4EA6392D18758087F1C0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.297{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672D71BB54250BC448D9B0C28C528F17,SHA256=7892BB499A417036E567E33533C2EF8D9118F5A72B4C9C08D99C13E8946B1F2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000103707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.266{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 18141800x8000000000000000103702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000103699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 17141700x8000000000000000103698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}1082348C:\Windows\System32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6a79d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.126{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8FD2EA5840942B1F30C009C2BE39B57,SHA256=5AA90ACD95EF7E91AACF949A827BC0471D5B1E84FE50DBAB34EF417EC4230834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.048{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DF8DD8B9CAC10A50501E1061A97861,SHA256=03E3BD158E537D6F619B00F176525D62CFCA8BC5D4A0F24B354B3F66CE3FE075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:01.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC62187F1C0E697061136578BD020E63,SHA256=4CDEFBD4B71F0593DC67B8D0DEE7982540F043C9E66CF412E222E8D0DF66E13F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.641{8D4DD44E-BF3B-616F-1400-000000000502}11041396C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000104212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.154{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000104211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.154{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x8000000000000000104210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.563{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20C1AE9781B2681BF33B35C0A441CC96,SHA256=C9D8E7A2B5CC53DD5082D1583E16C553177D6751B55BAF9029739731503277D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.516{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=425F87FC1DD54F2204986D0B299B59D5,SHA256=970ECDBE9A60A3FB0941B840C2D2B17FFF0CB91A076AA00D05F59459AB1380FD,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000104208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:01.469{8D4DD44E-C6A3-616F-9001-000000000502}4532\UIA_PIPE_4532_00000023C:\Windows\Explorer.EXE 10341000x8000000000000000104207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.344{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.344{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.313{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D725F03C5D30A0A4481A6BB71518DBA5,SHA256=8BC07E322297EF65D19B2E89AE83569D0F55ED1A62DC129D436C0929DB143310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.251{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77852F77DCE0AC06EDA50E8E78011CA,SHA256=83B59639C66C48694DE56701BBA690531D2186CB40D8E4D77F6A69292C133F9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C402-000000000502}1552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CFC9-616F-C402-000000000502}1552C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C402-000000000502}1552C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE93A9B7AE1E6D7A009CFB2788481FA,SHA256=935753D4184F9C552547E6DCAB23675241E377DE868C3E6520DD1CD083046EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-CFC9-616F-C102-000000000502}48604892C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000104151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-CFC9-616F-C102-000000000502}48604892C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000104150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.157{8D4DD44E-C6A3-616F-9001-000000000502}45324708C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.157{8D4DD44E-C6A3-616F-9001-000000000502}45324708C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.157{8D4DD44E-C6A3-616F-9001-000000000502}45324708C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8801-000000000502}220C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BFC2-616F-8600-000000000502}3124C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF5B-616F-7700-000000000502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4600-000000000502}3668C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4300-000000000502}3636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-3C00-000000000502}3452C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF49-616F-3500-000000000502}3288C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3100-000000000502}2484C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3000-000000000502}2372C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2E00-000000000502}2236C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2C00-000000000502}1188C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF45-616F-2300-000000000502}2624C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2100-000000000502}2512C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2000-000000000502}2504C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1D00-000000000502}2060C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1300-000000000502}396C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0F00-000000000502}1016C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0E00-000000000502}992C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0900-000000000502}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8801-000000000502}220C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BFC2-616F-8600-000000000502}3124C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF5B-616F-7700-000000000502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4600-000000000502}3668C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4300-000000000502}3636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-3C00-000000000502}3452C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF49-616F-3500-000000000502}3288C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3100-000000000502}2484C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3000-000000000502}2372C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2E00-000000000502}2236C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2C00-000000000502}1188C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF45-616F-2300-000000000502}2624C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2100-000000000502}2512C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2000-000000000502}2504C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1D00-000000000502}2060C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1300-000000000502}396C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0F00-000000000502}1016C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0E00-000000000502}992C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0900-000000000502}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.110{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-CFC9-616F-C202-000000000502}4664C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-C6A0-616F-8001-000000000502}29281964C:\Windows\system32\winlogon.exe{8D4DD44E-CFC9-616F-C202-000000000502}4664C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.092{8D4DD44E-CFC9-616F-C202-000000000502}4664C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000104042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.079{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.079{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2DF7EC949D99626A60C2CA1199CDCE,SHA256=4E1810418A29855F8DE08A1A2259803EBA622B2143D86343D16C1952BF3348E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000104038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000104037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 23542300x8000000000000000104036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-C6A3-616F-9001-000000000502}4532ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=9B6F0B9293D2CDAB379606826F1FF36F,SHA256=16160A5E4CABC18988628075B2739FEDD97DDC879DDC9A7B1649E0EFFC0AC088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-C6A3-616F-9001-000000000502}45324652C:\Windows\Explorer.EXE{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000104032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-C6A3-616F-9001-000000000502}45324652C:\Windows\Explorer.EXE{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000104029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.035{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{8D4DD44E-BF3B-616F-0C00-000000000502}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 18141800x8000000000000000104026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000104018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000104017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000104013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 18141800x8000000000000000104012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000104009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000104000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 17141700x8000000000000000103973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-1000-000000000502}1082348C:\Windows\System32\svchost.exe{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000103963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.992{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 354300x8000000000000000104216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.808{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local60057- 23542300x8000000000000000104215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:02.344{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF7FAB87F8BE59103ECBF9A19C1E514,SHA256=E74E9E545F65F68324633B32015BA59D06EE24267A15BCA9E6A45DBAD8CF0E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:02.538{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6045CD3F1C28CB01E2A006A65FDD3451,SHA256=C42763F1E8969BAC526DAF42EF81A55CD45C78C3A6E557FC226BDE32FBDA388D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:02.141{8D4DD44E-BF3B-616F-1400-000000000502}11041400C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000084646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:01.657{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50582-false10.0.1.12-8000- 23542300x800000000000000084645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:03.554{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CB6C6AE58300C2639FEC8A1C48E0BF,SHA256=8BFA0F64DE1B86F972E7B0F6DE36486F5329D52EF7A556F1D562FC176341DF91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.968{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56078-false13.91.16.66-443https 23542300x8000000000000000104217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:03.344{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E109C3CD84732FF4FAC2A59531F2307,SHA256=0AE50B50299FA6B778A25C8CA0EEAF1FD2BCA7B92B8A02E4AF238838AE3DC4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:04.554{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074D83F42053E83A49A8BA70D5C8AE4B,SHA256=D1630A44E9AD8C7E95859D25CCC6D0894972360991C6EEAC5F0A669373F97C5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.344{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F10B2CB0731C13842DEB7BBA890B717,SHA256=48AD696F61434A7135179478447E462248630C2BB051DF3E6B3C5715621D3B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:05.570{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6320736752758475FEB44CDB1334DAB,SHA256=0E085BB84E20E3261358962D5263FA267ED51932BCFA32D8E83A8B8A8E0ACC66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:03.053{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local54586- 23542300x8000000000000000104368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.641{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F811B8E84E2C1289132C0C7E78D4ECE,SHA256=5DB25F624596A68D78BE32F64BE857B5A666E8E3ACB7E39F46D9328B0747C467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA16F9EF46E444363447642E92E4DDD,SHA256=9FAFC78B3A566D8C5CAA3C9F073165562FC231E6715D0001E30BC35B780F0FEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.423{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.423{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.407{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.391{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-CFC9-616F-C102-000000000502}48604892C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000104329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-CFC9-616F-C102-000000000502}48604892C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000104328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.376{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.360{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.235{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.219{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.204{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.188{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.188{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.188{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.188{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.188{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.188{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.172{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.157{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.141{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.141{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.141{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.141{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.141{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.141{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:06.782{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99886266379C341FFE2B3C17C00C2C8B,SHA256=0546B67F563F45919338FE13BBCDAA0B128844B907A051E012ADEA3F6C720D16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.522{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56079-false10.0.1.12-8000- 23542300x800000000000000084649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:06.585{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604FB54291D9B6388319A6F020394F9D,SHA256=F3224C4CAC90DAE892EA61A7EDA86BD3633866377F940E0BC7D3DD47E538BD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:07.860{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C62B15B8ACCECE60FBBFA0F6CBE761D,SHA256=76FCC305FDC1F4978032C4D9D6F4D5A8E847335349073333244F50096B4F2FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:07.601{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8472B9BD225FF4896607C209265D3F96,SHA256=F2E6D70278040048EE26EB450AE456CC417FC490790DFCE98DC74BD5AEEBA429,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:05.158{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56080-false13.91.16.66-443https 23542300x8000000000000000104374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:08.860{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBED469C3F2B0ABF36A96E48197815F,SHA256=C8955F470ED18BD1B70614CC857C0900D711D9C7374A890BA595A4DF44D62F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:08.616{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E3D2808AFD015AA002D48F1B21CAA7,SHA256=7911433FB7D0E2CC0A922E3EC1DB283982760DDD5A74BA5E23C152D7F47FB12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:09.876{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F014B12BEB32B64DD18C4973676C3B6,SHA256=5822E4C749879698D0EC0AF6D094007E42926DBB1271833CD9CECEC7AC666143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:09.633{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:09.617{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB8C9BC27EB73990355705C837B192A,SHA256=91401D4B407372988FC54E468E0789A879706DE1AC4FA90BB1E3DB1AA62307FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:09.073{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-068MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:10.876{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DFA827D17AF53869758D386C63A25E,SHA256=2275EC44763555032ACE25C7C6F69B8D8B11C9833CD10230ACC09D61A9126856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:10.617{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A651D569AACD8C1A355A9E1EA961F5,SHA256=E44CE8F7047F474A8E18E467E0449D1B086B95F53C81AA26745A15DE7DAF8896,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:07.979{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56085-false88.221.62.148a88-221-62-148.deploy.static.akamaitechnologies.com80http 354300x8000000000000000104380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:07.959{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56084-false88.221.62.148a88-221-62-148.deploy.static.akamaitechnologies.com80http 354300x8000000000000000104379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:07.939{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56083-false88.221.62.148a88-221-62-148.deploy.static.akamaitechnologies.com80http 354300x8000000000000000104378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:07.921{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56082-false20.86.173.234-80http 354300x8000000000000000104377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:07.906{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56081-false88.221.62.148a88-221-62-148.deploy.static.akamaitechnologies.com80http 354300x8000000000000000104376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:07.902{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local54256- 354300x800000000000000084656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:06.814{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50583-false10.0.1.12-8000- 23542300x800000000000000084655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:10.071{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:11.876{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E261F8C3A2FC8041045E6D2ECB1D7116,SHA256=362A0A8D1E4E4DA68798E960E5D94FA50729F4C8D17B9E783695E253254CB405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:11.633{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14286E0A75C25808C951FE60CA7870BC,SHA256=A52698A65865FDEC47BCB988768C2439D6973BE5BAD8BD39C0E46F229A44E6AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:09.190{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50584-false10.0.1.12-8089- 23542300x8000000000000000104385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:12.907{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7FE971C73A2084A05D31568095D0C8,SHA256=60BE01412EC57BFED41AE8383CE1B312DDFB52E53DC1841E5015534E35D0F87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:12.648{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F30FE4F7A515727D90415BBD1BA8CC,SHA256=09D58BB88B8D8E072587DAB4E4D3AE1ABA6CFE3A811EF1B4AEA3BBD1E69DDA77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:09.366{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53711- 23542300x800000000000000084661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:13.664{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825264531ADF3F97E002805F27E10C19,SHA256=CEBDE74F5CAAEC0181FAC50CA8A7334C3E3BD568E9466934B33B412EE02A744E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.923{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6E5BFBD527C039FE1B7703D52CA628,SHA256=232A99B37492EE0157C0D990391A9FC50D458AD9BAD00A7956F45784D520BB55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.735{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000104386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:09.600{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56086-false10.0.1.12-8000- 23542300x8000000000000000104391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:14.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8AA9D2386C5EA31B87B4109B63FEC1,SHA256=1A64467CB3D38E0D72D305B3CEB40DD2BAB2E1226E1F8112135A90778622B48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:14.680{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7097EA6D942861056073734C60F3962E,SHA256=ED718A0308FB40F9600673B22E81D46DB5707680FB0913A924EA20A00088DF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:14.641{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BF66A12F2CFFBBF6482B12A4AD6B5A0,SHA256=09527D3A3FCEF3A326E4F3E90BAE83754E2DBF996ABB03F5D50C67926D968BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:14.641{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5535F7833CEE032639FE6FAC381FE225,SHA256=A4BE6ED60C99DA7019DA61B3102DAF7E368798EA4BF7F84635037487F8EB32D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:15.955{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F067F91FDC1900CA832F2D51E77FB7C,SHA256=48323E7C74E8A53115E921B693098E67934CA04298B9A0E33E84415615D5D0A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:12.738{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50585-false10.0.1.12-8000- 23542300x800000000000000084663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:15.695{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB62870037A775AE9DF0552E3898233F,SHA256=491300AFDA429792CAE30A88CA7FA0D081B0A4DD42BBAF4C3DFB140A0C62A163,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.229{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56089-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000104396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.229{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56089-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000104395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.127{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local56088-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000104394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.127{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56088-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000104393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.120{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56087-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000104392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:13.120{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56087-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x8000000000000000104399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:16.987{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0EF11E1AE28B60E41F2F3335EC0F36,SHA256=E9B621352028709D33E2BEF626DBBE0BE4B05BB9BBE86E9FC8BFAB1D6C63272D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:16.696{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7C078EC5827203FFC63E310F15FED5,SHA256=5EB5FAA6D38111A40161A7894197D764D49165823BE6D77E239C303A31A5ED3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:17.712{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403CE634B646C53BE0642F47933F9546,SHA256=8BE80AB4DCC3CE9EB506E3234F16A6AEC092D9D1A323DF140519012C641B93B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:14.725{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56090-false10.0.1.12-8000- 23542300x800000000000000084667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:18.727{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72766B0E17AAA75610DBBDB6EA611C41,SHA256=C5FDB85EF6763789823C0A3168738BE3BB4FF478A5D17088B8E3E4BEA9385BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:18.002{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6ACD2CEAA1BBD65C39A7D1393186229,SHA256=73D09EE8AED0A5051F44820A5D14DFDDDDCF5C9AECB89AD3A9E5B88B6F771B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:19.743{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B483964E154BBA78E6F6474C4D31A568,SHA256=86CB5C5481A17710F3424A436C359745A17BED073F662DDDE073C81E847BE491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:19.002{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4D7A740710F3FD11550946E6F44FBE,SHA256=3F8CAD8B2FF50CC36CB020BA21CF7CA82151099CAAEEA6BF3F5E3314633B3BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:20.759{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BC9A01D0133CF09004A40C6412B1E1,SHA256=78854DD5F3920938DC88B9D4C1B7350B706FD554C639CF3BE9DA6598DC68E451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:20.034{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6764035667934CC5FDAE5949B62C75D3,SHA256=92B55B96EE054791C993EBC601501E9B0861EB13E08603B06075528BC2CAD4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:21.774{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F82B933EF6CC81F417768BC42850AE,SHA256=8F725CF496F5023D657B4CCC65EEFD57624DFF6D5C3F8B3006C42A1D2C8DB63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:21.034{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43C42B6DC78BDDC28BDE567379F4D0F,SHA256=B09B3DFA850219B493765CBC46941406C550AE15E0DEEDD0FDD82D71013BF795,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:18.659{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50586-false10.0.1.12-8000- 23542300x800000000000000084672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:22.790{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB0E74E89E3623D00510542E59E9BE0,SHA256=FEB83C261F7CCF9727C50DBEDE2AF8E2565238F0B59AEB8B5C2A64B89E2828CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:20.555{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56091-false10.0.1.12-8000- 23542300x8000000000000000104405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:22.034{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D121BA68C82F43FB61CCEDF43C69A5,SHA256=C0A674C8CB29CCB39270B452B83A6FF91C2B727C8ADF22F988772603FA5620FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:23.806{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398F2BC4E0CF022969030B31DDD3DDC8,SHA256=C97379A22353092010F76BEA119D6E1FA3E8562D7B93D14124A06F59B63C2EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:23.692{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-068MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:23.034{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B529521ECA1078C078570822EE26BB9F,SHA256=E60FB8BA602BB25B70E90B93FE6567782280F210DB313220BCDA97F8992466F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:23.118{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B882910B19535472A5D6880C6EF545A,SHA256=F7B3E2D497DF0CD51692CB1C89D1C3F04F8A8604D04A017783AC1CD698EB0573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:24.806{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19ACA250FE05B1551D48E3ED2E4E9CAF,SHA256=38BB36D9BB7AC121157993442DEF3B48A5D1E67F4A90DD5CF56428FB6A7DF56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:24.696{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:24.038{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A83297CEC24EE48530DE56225C4425,SHA256=B222B2BB1CEF3A464D194187D7377AF466AD80BD03D062B956EE06203612840D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:25.821{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F12B292659C5FFCDC12D023C870F9F,SHA256=BE192A00C538ECE6A8FA62BF1A9F28CEF99089943DC0E13F18A63B7B3F6C6820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:25.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9E5C44089E7ADC47E667DF6438ECC1E,SHA256=00652F014DAAE8F26F6B723840428017E6D39FDE587D6BA4879552E0C07413EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:25.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BF66A12F2CFFBBF6482B12A4AD6B5A0,SHA256=09527D3A3FCEF3A326E4F3E90BAE83754E2DBF996ABB03F5D50C67926D968BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:25.263{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C70C2095513241B0A85743EFFAE4BA0,SHA256=EC5A55979D354C381AA40F3A572CF8F96DC3711DD115DDB76B8BA95C9BEF135A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:25.247{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:25.135{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=17548856924B84A7A4BC49CFD1EC8C69,SHA256=1654EC0AC3F07F6F0FEAD363A2BBCCF8CC1AA26D6797CC41E7A4991A33C2D812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:26.837{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE26E0C2A04982DBC71FC4B09EDD6E0D,SHA256=80A2E2F7F93BF92C963B2A581942AD1F1C98300320E5327A7A67459316DB3DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:26.263{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460DE0FA44462B05775CFCCCAB4807FE,SHA256=7EBB699308EBB3D5DD88FF3F619D13914EB5BD686B3EE2A539337772BFD25E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:27.852{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7F3382D0DAFD642266F0C4B87D96C9,SHA256=28C97E26E8EEB9921C3556E35BF1B2DA3433FAE265AFF39A08F5A91FDED3EE09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:24.722{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56092-false10.0.1.12-8089- 23542300x8000000000000000104417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:27.294{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A12498A2D4B40ADADC54D0AD403400F,SHA256=F466DDED02E63C4A9105F8F15D161AD5DF7C3CDEBB69B54E4ABF96A4D55339D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:24.628{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50587-false10.0.1.12-8000- 23542300x800000000000000084680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:28.868{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E533297A995F40F63C608581B48CFF7,SHA256=8713DC098A63B8AC04C737FBA4F20B153E3A971B63F6413C08945E5BEEDF37A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:25.629{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56093-false10.0.1.12-8000- 23542300x8000000000000000104419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:28.294{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BED9B8577D442395CE9BD1C6DF1FBDF,SHA256=09B0BC8C0575524AABDBEF33188E365A6187031AD72E8CB8057B9268A843D919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:29.868{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC59C464FB048D88897B03A6812C387D,SHA256=D59B60AA08100FF97E2F73D573C5887CF1DDAEE81C55C7E8342A9D1DB8630BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:29.388{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAC4AAF3DAE17255912B9E5ABFADDDA,SHA256=749C8DEA21F4514682BBFF0502C6F045BB50657181C080713D269EF1DB9356FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:30.884{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6ABFC3520A6DB82A6CA0C3E9411F57E,SHA256=1F09D668F70C9D8C5A464575A2408E000DA7C24C46A7BFEBD3AB68F77B8C0C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:30.451{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7453B82C03EC0C1C24B721CCBFAACC61,SHA256=C938031CB99D67465E6CB52A72810027502BE12FED243E3384DE6579C24337E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:28.817{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.14win-dc-185.attackrange.local3389ms-wbt-serverfalse146.88.240.4www.arbor-observatory.com34574- 23542300x8000000000000000104423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:31.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D2AB2FD5CC0CA5DCE51C8615621DDA,SHA256=B6389F5D8B3A71875B53D7F750B826CE92E677A70920C8739263C8E50AD98D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:32.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1627BFD2CA6227BD336AC5D4446E9C7,SHA256=4C60A982B8BB1C86D3173BFBC6D1FCC2F7B55DB561B928876C88C1CDFF1E0318,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:30.659{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50588-false10.0.1.12-8000- 23542300x800000000000000084683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:32.102{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B24FDEF21C8975BA775172AC9C1970,SHA256=8AAA6BAD772D2962F7C9DB6AF8C43A003A7EC2291DFA718AD947B31F01363D8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:31.566{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56094-false10.0.1.12-8000- 354300x8000000000000000104427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:30.972{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local51984- 23542300x8000000000000000104426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:33.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB1C354D5C235F9A2D807093CFD8913,SHA256=D8DD2EF16F145E6987B4C0B7FC0F06540A891D314686F06144A2F9561EC66E9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFE9-616F-8802-000000000602}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CFE9-616F-8802-000000000602}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.274{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFE9-616F-8802-000000000602}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.275{6F8252D3-CFE9-616F-8802-000000000602}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:33.196{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5008CABB485C5EF773E058466BB6620,SHA256=3FE4F0D85D8F37CE16026B2229F8B07781442C9BF12882D01550ED2480CD2A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:34.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C6852D121608624B838B9E148DF934,SHA256=3FFCFCA86C76DEFCDEB59DE1246B8F25BCE0FB8F3BF174FBCCCF181E48226700,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFEA-616F-8902-000000000602}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFEA-616F-8902-000000000602}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.727{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFEA-616F-8902-000000000602}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.729{6F8252D3-CFEA-616F-8902-000000000602}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.493{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E5E9D04CACE8834BA6DF1E45804BD8F,SHA256=26C3221CC24A6A08837E3ACB92C7ABA52F96C00459B14E60B9BE3083BD078CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.493{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F16EE62D92D92820D8F43D62C1F1B6,SHA256=AE7177009E020CCBD81D973E19BC2E745DDD8479D5DD459D63C77334E88F9CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:34.212{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85003449DA9AA98828C31D63F1D6FE17,SHA256=64E3D64254220A4BE1E4600C524D1F75277D778FE92BD7F470E53CB2C443E33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:35.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E6C12AFDC5074790877523B1FE8D06,SHA256=3878B2BCBC2FB21F508A00539635641AC75241D25C9DDD0C3DC46E62AE40F995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.951{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E5E9D04CACE8834BA6DF1E45804BD8F,SHA256=26C3221CC24A6A08837E3ACB92C7ABA52F96C00459B14E60B9BE3083BD078CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.540{6F8252D3-CFEB-616F-8A02-000000000602}37361108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.243{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F903B03C2EAF3D3F609FA7851B48C838,SHA256=F1B0E051BB06DDA4578701688F83E9594023E2E62A4345692F2B386DCE95044B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFEB-616F-8A02-000000000602}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CFEB-616F-8A02-000000000602}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.227{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFEB-616F-8A02-000000000602}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:35.228{6F8252D3-CFEB-616F-8A02-000000000602}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:36.476{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004E2099F5586C54A5EB59CC07828501,SHA256=C0F8E9913A758CF2A245C690199B3D659B138254FDBE9A218529B93C51DA0759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:36.263{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DC78F18B041ECD77D1C03FC6BD08BA,SHA256=5E37BF7AED831E687B6D98E10988BF77D317B4FAF075D49CF8217F823E29982E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:37.538{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0648E44B176C9D588CE466759324D906,SHA256=836BA0C785A4C28543B6370440187000691CC3F69B29D68CA6FDCD306207072D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.811{6F8252D3-CFED-616F-8C02-000000000602}33643056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFED-616F-8C02-000000000602}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CFED-616F-8C02-000000000602}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.529{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFED-616F-8C02-000000000602}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.530{6F8252D3-CFED-616F-8C02-000000000602}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.373{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149C03B6338CAA2988F3558DF647F15D,SHA256=9FFAF2E263BB07338789D9920832B9E900C1310EE6A51974B266E31548917D19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.263{6F8252D3-CFED-616F-8B02-000000000602}34243356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFED-616F-8B02-000000000602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFED-616F-8B02-000000000602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.029{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFED-616F-8B02-000000000602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:37.030{6F8252D3-CFED-616F-8B02-000000000602}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:38.710{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B59072515B02FC7C4535A10623D1E7E,SHA256=04AC942A855245888B724368F860703E5755CA659FDD22BD2217BA67CA035E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:36.587{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50589-false10.0.1.12-8000- 23542300x800000000000000084776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.529{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFAE8BD7F897F05993B1D01EF4C670F,SHA256=CEF2B15068DDB7DF9B5D2D36A8DEF0366D9C55B5AB4F9B5140C30A5B1D41BC99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:36.670{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56095-false10.0.1.12-8000- 10341000x800000000000000084775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.263{6F8252D3-CFEE-616F-8D02-000000000602}12122024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.045{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB6A77B98546EF3D16D46BB7D247B0E,SHA256=210D94C49D7EE80561C15221065579A2C2630054EDB4C7FC1D3A5122CE3EE89C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFEE-616F-8D02-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFEE-616F-8D02-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.030{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFEE-616F-8D02-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:38.031{6F8252D3-CFEE-616F-8D02-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:39.726{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3D75CB065B7C49475C0AA1B2D1F737,SHA256=D04775CD9DA7D71757384D430AC2819796E0179B2A8C613D2104FAA23994BAC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFEF-616F-8E02-000000000602}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CFEF-616F-8E02-000000000602}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.623{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFEF-616F-8E02-000000000602}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.624{6F8252D3-CFEF-616F-8E02-000000000602}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:39.560{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC240FC1C28282C5E340E2E8E60BD8FA,SHA256=078F6BB29F36B1BBD0E0B1DEB140B1B651DCD0D579653E1528BEF8A9DFC5FB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:40.779{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F6031D4A6615F517B8AE9615001BDA,SHA256=D798109835B4784761BA0C989E87C4AA4A0D9F8E097F0BF5916DAFB5DB12B8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:40.726{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A485F473F787F78866301713EEADB3AC,SHA256=AE79328E1A418BAE947DE7E9B773728ADD55CA2CC124A8FBFF57EC1223547573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:40.638{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B943EDA37C3DDABF2AD398B7F0EA8E6B,SHA256=8A46C03E605438B226E851F81DCF31608A08C4DF5FC4814DA75971C4FF59CF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:41.888{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F2F3E6A3D4A0B38AE00057365C7DDC,SHA256=D881A61C38F59DE0A0FF1730961DBD4855274B4C0796E1CAF76E32587DF13761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:41.773{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8F8F09CD093EC8D1D7065DBB1AEC8D,SHA256=EE9283EE75655006E1ADEAB8D2AB68B32027C0D2E84B575B0D11F5B885822F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:42.904{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522B71F2F133A3E1F59467820F6824DA,SHA256=2493577E89863F17EFE52C8B316CA708A8809A10633D419666C12EECC757A3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:42.882{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C97CEFA3C0597A536BCDD5A01E2004B,SHA256=ED2C4D9F5DDD9CF42FB43B4D461BDE67EB3D100CD2F492DA91B3F71BC2E1F868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:43.882{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B5F9A9689DB5FFF3BBF5721789CBF5,SHA256=313A5C1EE1B3DB3C5B5F7F690BAF413B6176F49E112B29DB2BC8286B877DECFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:44.029{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528D68ACE0E5DDDD210557E70D44C7D3,SHA256=7C687D09748B122FBB817635C82028F5DD1FF98700410427D679CD4650D7144B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:41.732{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56096-false10.0.1.12-8000- 354300x800000000000000084798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:41.757{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50590-false10.0.1.12-8000- 23542300x800000000000000084797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:45.045{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B3F634CFCF0BBE36B5ECABD13F028B,SHA256=AE768F39AE6C55E27CBE1CC7EE000A4A8CBF7391C9E691320098FFAD1117FB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:45.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3E5252FE39D4740F3AC0D7B3A326B3,SHA256=7C52D84959C9E9BCF5340E7527F23CA8073519B2B513A85D97A14D3B0C78CF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:46.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000CD28A7E720F32583C08CDE32CE3E3,SHA256=B12DE705F7A9C73BE19BD912FB244AADD7EA754A20E98B7F376E0AB7C3FB1E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:46.091{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCF640491802F5A1D66762E34D17CCE,SHA256=917892505A14E9CC7FD884B596B7ED44501ED3BDB84C8974B7B622BF3792C259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:47.107{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710AF2CFC86ED6FAF4A0C1355706583,SHA256=7550EBB5D72EFB474ADB9F785ED93F6C577E828F2F4823A13C36D50B83A8DC43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:47.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76C4B1BD520EFCD38386FFD0D94CD7A,SHA256=FC019AF0F4D80EAEE520C6606AC45BAA8747539BE2E9FE10D62DC393E8FD011A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:48.123{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E4B6487E7703AEAA67AE151DE46F5,SHA256=06434714C4B4FB596CD1A081A7DEBEF3EB7D5D64994596CA8B9A2F84F8E65C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:48.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897FDD06B59BEA8BBEF6169BB4450ED8,SHA256=CA9155F88D634F0E8C4FA35E39274AADA20C1F244BFE8B3D06C7F8FA7FDEFCC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.960{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFF9-616F-C502-000000000502}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.960{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.960{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.960{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.960{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.960{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFF9-616F-C502-000000000502}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.960{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFF9-616F-C502-000000000502}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.820{8D4DD44E-CFF9-616F-C502-000000000502}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:49.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3A1D26D1E4EA11A8A1E02E4FB7CA71,SHA256=0BE6D4E22693BD45C40D081BC9C17E9FFED05DA3F52918833306C6C8D09CF688,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:47.789{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50591-false10.0.1.12-8000- 23542300x800000000000000084802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:49.138{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F89F8E0387D51986EF886197C1860D3,SHA256=137CC0BEDFEEDAC48E51684923147BF2FF9011C3688E18CE9395808B2A833F3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.867{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFFA-616F-C602-000000000502}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.851{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.851{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.851{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.851{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.851{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFFA-616F-C602-000000000502}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.851{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFFA-616F-C602-000000000502}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.711{8D4DD44E-CFFA-616F-C602-000000000502}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.835{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA4F86734D74F38CEB9BA82E5BDC0462,SHA256=C08344E070B3D994EA65B5AD2F30D9CCF0266B129779DF00D5A240518C4D6249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.835{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9E5C44089E7ADC47E667DF6438ECC1E,SHA256=00652F014DAAE8F26F6B723840428017E6D39FDE587D6BA4879552E0C07413EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.257{8D4DD44E-CFF9-616F-C502-000000000502}22521884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000104455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:47.608{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56097-false10.0.1.12-8000- 23542300x8000000000000000104454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20482E0FD4359DF2630311EEC4B4B360,SHA256=CCA5BFFD31808C4C95C42FE7C61465B0A3DB3DB2CE9A9A07482F433A01E9C324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:50.138{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF29E1C73E3EACAF640930C101FE2A0,SHA256=4996CE41DC2B2F0404396DB75E84BA70E141F409D9F7EAD270F9DC70D9C8CE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:51.154{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DDEAD01086ECCBE1832A254EC9EE29,SHA256=5D9371C410818E3458492F8AD2454555561001F26E5B3FFF36A8CD1DD67A7E5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.617{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFFB-616F-C702-000000000502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.601{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.601{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.601{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.601{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.601{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFFB-616F-C702-000000000502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.601{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFFB-616F-C702-000000000502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.493{8D4DD44E-CFFB-616F-C702-000000000502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:51.273{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4EBD5879C9275DC4984B6A6B182DEF,SHA256=7F78C6498A7771EA549E422FA095FE67BF28FABEF74EAFB5382AA0626E01DE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:52.169{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D314D7E0645B38B2DB3A70D23FA93AED,SHA256=55F7BAFD046503B08D0BC50DDFB5D9C3E2E3EC08F6BB7E7BB8D63C74F7A4CF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:52.273{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04959930CFBBA57AF88C8A54BE6476F4,SHA256=C814041FAFC764E1038258BA5486A1655C2B4E7963F9E4CD4A988BBC1BD89FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:52.023{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA4F86734D74F38CEB9BA82E5BDC0462,SHA256=C08344E070B3D994EA65B5AD2F30D9CCF0266B129779DF00D5A240518C4D6249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:53.185{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225188B4F8E221BFE6B554B0E76FE0B9,SHA256=772619139119ECE5AFF128451B7A42D96A2667BD55490E465E24CDA5AE19639A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.898{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFFD-616F-C902-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.883{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.883{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.883{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.883{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.883{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFFD-616F-C902-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.883{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFFD-616F-C902-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.758{8D4DD44E-CFFD-616F-C902-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.523{8D4DD44E-BF3C-616F-1600-000000000502}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=032E5C74D8E5EBE066B84ED8C6403403,SHA256=FCC10B581029E7DF46562478469D677F3F7949A20B8471A3192B45619EBC1018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.273{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302825A9BD4FCE8888A6EC8F2680721D,SHA256=C6E273BD61757D24D7ED21B2465C0E3A2226CAF060C502DDABC54850B8AFA3D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.257{8D4DD44E-CFFC-616F-C802-000000000502}41523916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000104487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.483{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56098-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000104486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:50.483{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56098-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x8000000000000000104485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.085{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFFC-616F-C802-000000000502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.085{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.085{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.085{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.085{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.085{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFFC-616F-C802-000000000502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.085{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFFC-616F-C802-000000000502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:52.961{8D4DD44E-CFFC-616F-C802-000000000502}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:54.201{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9076E1D3F91824814EEBD3874F1844,SHA256=8D59856327B63DBEC2E63E28CE8FFA7D92B6B71F3EF9B7BA0028EE7223AE46B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.789{8D4DD44E-CFFE-616F-CA02-000000000502}4788700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.632{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFFE-616F-CA02-000000000502}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.632{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.632{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.632{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.632{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.632{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFFE-616F-CA02-000000000502}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.632{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFFE-616F-CA02-000000000502}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.633{8D4DD44E-CFFE-616F-CA02-000000000502}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.523{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3C6801ED63B906A99B3B7AACF01A0713,SHA256=3BC9A037555D904AB58ACC2EE93B165786A5F0FCFD17E6E0D59385372FEDC983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.523{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5FE86B94B890BD8DE9D229B2D80D974,SHA256=124474E6EA1B3EE650FBC312FE4DAC8DD06712B4F05C4ECE658CE84763260390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.289{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0184869B485E2E51E04FD19DE8B7EA7B,SHA256=2F300AA93F235A488D5A95BAA8B218043971A70A0114DC277DCD682841B619A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.086{8D4DD44E-CFFD-616F-C902-000000000502}3524676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:54.023{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C2F696FC5E133506960BC40E648A3DF,SHA256=C4C1BE7A6F2AE0D1A65812945D0E1BA05B207BA1ABAD77E97D2B667FA3E1229E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.664{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=229B37F44F186C62E7534F9C5AD4F4C1,SHA256=513714EEA7FE049BAF493022A2FBCE9F46512A968AB4466E37A3BC167BC72542,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.523{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFFF-616F-CB02-000000000502}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.523{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.523{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.523{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.523{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.523{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFFF-616F-CB02-000000000502}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.507{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFFF-616F-CB02-000000000502}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.383{8D4DD44E-CFFF-616F-CB02-000000000502}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:55.320{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB007644CECE4FAE77FF0D11E465E599,SHA256=E90FEF6312BBDD812F6CA684818AF68B386B6886244493746431A6B064444ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:53.773{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50592-false10.0.1.12-8000- 23542300x800000000000000084809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:55.216{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2448F564DBD39138D7EA6BCDB29BC87D,SHA256=CE26347623B6C48C7EBBDE91A6EC45E371E6EEB43F4903ADC9FA0AE075352E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:56.231{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5D8DF645E1447EC474E429D0502B76,SHA256=F368FE704712B4068771C9940E41D43F7A548AB9CDAE1503D280443AF0C6F19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.334{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27579CD284E6F696926A042A8E03AE29,SHA256=449A5E65E03DDAFF3EA530CE76B5D76F0C194581AA31B82EFD18C51721AC1E95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.288{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.288{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.288{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.288{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.288{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.288{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:56.288{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000104523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:53.545{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56099-false10.0.1.12-8000- 23542300x800000000000000084812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:57.247{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F042C2A5B35B8E7F2105F6ED6182857,SHA256=8DA52A2B00ACAD777AE7E1D8DB281CBCFF2800A5ED4D0DDFF10B1ADDECC3CEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:57.381{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1184C755A2C6930F58477F3F046B2031,SHA256=0FD63768DD4B8D2EE8952A8D49C60DB6AA3D83276FA6EB7640A4E90132209495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:58.247{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8FAB7ABE2C1F7EB787F7DD70386D90,SHA256=C5A2BF356521C92E5FE1F05466F4627B4F8A512B217E37589F659C26980CB633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:58.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F8DB1D1351540AB53B97319715D5CC,SHA256=C9128D4606235FE647C915F8FA6E4354D33EDC0B6F41E4FD735D71A0BC1F9554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:59.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40877AE323832340BEEFB3F8D47F591D,SHA256=3304EF6BD67F071D35226A69CD35273B5CA22AE523E8C91A6EE00357C15F6ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:59.263{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25920EB1C1D006B1F225AD4D30A4761,SHA256=46E57EC02F47B301D50570E8E0DEB7063BFD5AE3CDE2B0BF4135AA2D87FD25AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:00.278{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F438EA45D3C44B4B6D17570B10AA92D,SHA256=BE1D1C110EBA52D5118B0919A311C0563D18DF54DD2490703BE6DD4895DF961D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:00.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35E6EFE5FFC082202BC9369961553ED,SHA256=01F30F0DD2D20116F34326F5836B584AA18EBBA3E020C12A2CE996D520EB3190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:58.700{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56100-false10.0.1.12-8000- 23542300x800000000000000084816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:01.278{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D26363417F87F0B1CB63886102E7C84,SHA256=F819A8FAE5D0E4E174CF0883C9625C9A1772AE66B605B15654B425CB06C38723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:01.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD8A6044F37F46ED2C3632857B7D2D6,SHA256=94357AB3E97C7DD42FCC1750D120DB595B76AB879E99A57B12CE96BDF43B637D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:59.803{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50593-false10.0.1.12-8000- 23542300x800000000000000084817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:02.294{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A82CFEDA3BDC2A8D628E898C36C48A,SHA256=FF39B220348399AADE5354CCB3C46B9C7F1D36E7565DE7EB5FB428856333EB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:02.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B51F70F43EB4E68CD016D5C94C1857A,SHA256=8C573F0764299A3B5F4609CEA91B7082B5AA77D75FBED567F6B605CB4C9666FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:03.569{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655DA9FBCBF87B9C1CC1CF80EF2E8AEA,SHA256=06F5C78704ACBA925BCB0C8303BC2AE903E083233AA621DE69EECBFAD97AD67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:03.309{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A0D6A379913ED115AE4D155F026335,SHA256=45C2A2F79720CDCD22CE709339B640CED50403772542692A0C01E569D3B674B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:04.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223538A44941BD8D44A586B88E3CF39A,SHA256=2D56CB4E5BE4FD00624481267BFB1EA1F86C245385305FDE7BD208250296B9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:04.325{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4B042F63171ACBB392F2665D2A1F76,SHA256=9071ADBE24DBF68FF76B23EDE427227AFFCE6412E699107BC57F2361F5804CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:05.341{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EEAA22E5E678BD90B3F27B6D8762E1,SHA256=D91F2BC9AB9B4914A9D8A75DA8605DE244BDB915BC46D8B0D13DB9961D25171D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:05.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1A53773438BE021B376B913CCD8F4B,SHA256=A5DAD0F64B800CF290D8C3B2584A2D82D2B5348A926A1C8ECC34EB9920700F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:06.356{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD65854B51631EC4D379400BDF77054,SHA256=1115B75B0BF4FA6F14291B3B98D2B34AC081535799BDBD71C88788CF0E6E697B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:06.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EA961530E7707CF03CBAFF6231FF6B,SHA256=0FFDFF3BC902AF8355683910DFBD984843CAD14C0256C3A7AFA68DFFB7774722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:07.372{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A341881A5F9C2278493F936A8036A8,SHA256=22D77104E7F5F273BCB2D77A8BEE106208BC452A6B48558C4C167549BF281D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:07.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147DEAB7CCF291E75BEA645D962E4C02,SHA256=A5D34DAE7649BFE805F8054126D753F8FF934EFFB7E677463A88B173DC71FB3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:04.560{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56101-false10.0.1.12-8000- 23542300x8000000000000000104545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:08.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405515FF44349FD24513EEAC144EA213,SHA256=9CB9A7B098ECD1FCA5523C373AC27ECC27C3A5F8D5BBBE058B21D35174A4CC56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:05.585{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50594-false10.0.1.12-8000- 23542300x800000000000000084824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:08.497{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A1D50A07EC41C3174B7F17BAE13ED9,SHA256=DCA5C5BC09D208A9E86E3CECCE77A4FBAB92E572DF9933DA594BD7FD8D7FF6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:09.725{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F247B61DB5D9663ECD7DA8483C11CEE,SHA256=C62F5F4F43715E29225B8C1A8F93424FF7B470554254B1006CC921CA8CF404C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:09.653{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:09.544{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44395166ED1AC2E7DCFBB3243EFD3AC,SHA256=C50C2AAF1083146EACD882E390D45A9CDB76EE89FC664866D36D5E79771CC795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:10.596{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C252502B1B0E9CCBD75C59DD441544,SHA256=4F4D67DF99E3D54E92AE08DB0822EB0BAF7454FA350842C9AEB612AC12390D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:10.595{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-069MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:10.725{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCC8767A4529676B70EF19D6AE4B777,SHA256=FF6A75184AE09CB2C22E5865860C35FF2F7E142B238791E6E326E73ABFC78B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:11.611{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923E00C41850634261C14C37819D7BB9,SHA256=CFAF54A29A9500598A0E6FF585A77FB98DE7EE559A6E701B3995270D56709CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:11.725{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C92743389217DBB9B4812CCCBC65D9,SHA256=C1DB99A4D86AE9C61947ADA4477DD552650FB62525C605EEAB7359E1C3DBB91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:11.603{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:09.194{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50595-false10.0.1.12-8089- 23542300x800000000000000084833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:12.649{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EB64B2B1B9387085947EEE4944FBB1,SHA256=80F759C8464422A5E950958200BAC765C6F2887320FA7960A22D03CBC6847A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:12.741{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868378C290D7A02437B5814618524855,SHA256=86C55232A9C83848C2E01BF60D354B6DF336700ACCC6F8DEA0DA3A98DC7DB769,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:09.638{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56102-false10.0.1.12-8000- 23542300x8000000000000000104551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:13.756{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1B8906FAF3ED768BE451C4ECBEA91F,SHA256=42FC42AA1526F4ECEDDC00C68B766D714764D79BDE380A444F798424B3A73E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:13.680{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C093C172F4DC8AC99625650FE733D52,SHA256=77E8648B2808E9CA926CB68B609945070FBCCF71D00971108C5A716EAEC1A3F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:10.814{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50596-false10.0.1.12-8000- 23542300x800000000000000084836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:14.712{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D4276EAABE65B1A16EE8707949EDB4,SHA256=49106B3B90913ABE9E861E30356F79103F27CC15E780F938E3B8C3B791298C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:14.772{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC01F9B43C11408D83E9A9B1E71DFAD,SHA256=FABEE9A1C3FD653B45C24E7222200B688E226A1717740A49027AB224E1982B9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:14.616{8D4DD44E-BF3B-616F-0D00-000000000502}9003292C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:15.727{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFE2EB1009E001388FA6B85CB53D026,SHA256=C4401D91354B6E4EBFB18C3325492A12E0AB89FD92AF7624EEEC35D1E4BF1684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:15.772{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051A6C76E36A18367C178F2DF0A816AD,SHA256=9281E6C25563804F671527BEE35690D5BEFFEFCFFE6999E9881EA47CDBEF9A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:16.920{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E5F21C3EC5AB21F334DE63DEA46E9D,SHA256=D4F0DB49441CB3A96C00B2B97BB3D7549DB0DD76FBCC6BD80127A2A72DC26921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:16.773{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9803ED1B207DD9EB195A9A81606B8C15,SHA256=4A465F1CA3CADE8D42D2A947CEEBBF7E27AA6467523D8B8807BFB5052A671E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:14.717{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56103-false10.0.1.12-8000- 23542300x800000000000000084839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:17.967{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADCA643CB022CEC3659DF4BF9C109E4,SHA256=4D9C4D41549390017EB16E6997180027AC97FBFBC101A94D1B795A1F154A25A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:17.773{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5343AF419419CCAC0E8B09D230A0C7B9,SHA256=31D2CA826C1452A77B7270BB6BC19C3390FB933D82D29056B2F5D89A56A064F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:18.836{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4C4EA23191A67DCCBF201AF6089BCC,SHA256=E026372AD3C1A2687187F89040644B9C00A659A1CBF0003F16F874CC51F98E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.945{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A658F37F921E022F4A8F400DEAE2856,SHA256=E4D8B2318FC4182C872DB5B7D1181E31463A179278E79F358DDD92029BE9DC95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084841Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:16.742{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50597-false10.0.1.12-8000- 23542300x800000000000000084840Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:19.045{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AFE2EAEE6D3BA9C309E476A45A2B94,SHA256=E4D00481927D311E30633AB5E9B05223F970934208C1223F6DC1650265D0100F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:19.367{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084842Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:20.186{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F507F5FA348DDED449A9CC8566CA367,SHA256=A5BF93F1F495266AF8B4E001339EFD3BEDECD1B74679F3AA230DC08C3F49E024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084843Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:21.373{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC974834D51ACAC9414E93E7979BD588,SHA256=75990FF95F536DE09E8704589806DB133337EF0D0ABC04B10741E7E3D93D7C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:21.180{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C5E787B51733166626AC726A57D266,SHA256=3801ADF03D3FDD558F63150C08E0AAFB10CF064B30FA62251045185735956224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084844Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:22.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48A51FF7759B1F0BF9E3C97BA9D05C7,SHA256=CDADA96CB4A2F80FE877CC8D9BA1C51DA6E58F35625AFE91570401DFFED0B333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:22.195{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B237D0BAB76277EEAF14925BFCE5A58,SHA256=EC11BC927CB599F09A2B45873206ABA8F1067C154656A7D54994E00A392022D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084846Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:23.404{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00307636669958403097D40F63FAFB89,SHA256=35EA8089D14BBD4661F261D3B6469282C1BAFA794AAFDF6CA6BE7EA1EB99262B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:23.211{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D041BF8B408658A71739F30339885C,SHA256=3B76A4482AD15E67A3265D4C681E28B07A7CE0636F09FDC6E1513D1AE7C767B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084845Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:23.123{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C8A3856CAD39ABD5B5224A2365010D97,SHA256=CCDBE519899FA3E86571739CA5445E0F04EF0A73482641E539DEF06B83239C16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:20.562{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56104-false10.0.1.12-8000- 23542300x800000000000000084847Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:24.436{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E429AB210A928F647A35769CF272C520,SHA256=86D9E26AE0EE75E4F4CA7566D379CB873B00BECA36FC316DACF92FF8A4B08417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:24.211{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E7B633936CCCA9F2E746D6A0B58C15,SHA256=7F4B4F93D2C20B0BF0695727D8432934F644E063BF0BD3A0F5ECEBD477FCCDDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084852Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:22.633{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50598-false10.0.1.12-8000- 23542300x800000000000000084851Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:25.529{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB386CFDFC3927590A34BAD5B54E64E,SHA256=91E05A02BB177B4670262D734B199514BC889ED1A443D28183E1624ABF65EE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:25.277{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:25.217{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-069MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:25.216{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F37DB783A046937307D7674001163A,SHA256=A8EC1BFF5B819CF0F4D73FD0578C226BE02BD86985851B3B253ABD5BF6FCA1FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084850Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:25.326{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084849Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:25.326{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084848Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:25.326{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:25.135{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1AE92E67A181EA7CD85B126A17E1AA32,SHA256=00B96F034416A47E5906FE0F13367DFF413985AB6D9AB370B4F5EAED63C9E926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084853Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:26.561{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C072BAC85D5037BBC79A5C1B893CE0,SHA256=6DA86C2A5BECFD46F24F3BEF568CC0C0410A1939A20C9C54822AB70C9890806B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:26.447{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0048324844D36023BE626EE6E75B4FE,SHA256=E73FCCE210378A8FF2A31955D2FBC5882BCF5BDB59B9D8C7A96C68E3CE55F412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:26.215{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084854Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:27.607{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE7C0AC12718500B335C3A2AE921260,SHA256=C766325BDF85A4B616EACC7E3D7179BE803AC85B947F3E63C6639A9C47A286F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:27.450{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A2D7ACCC491AA4765BCD029C69193C,SHA256=FC343A81DE1C3402BF19E9CA8C7E5080E48472705D5651D6F445C84526405B83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:24.753{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56105-false10.0.1.12-8089- 23542300x8000000000000000104603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:28.669{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC001D3B2668977401AD94ED2F20E72,SHA256=CDC7A45F53C2320EC32D09178F3F2A098A62333E072A609A6D10BA1E4712FF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084855Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:28.623{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82FCC0EBEBCFDE6B8140BFFC60282F2,SHA256=1E15DB858004A5254E193D9F2049C679A9F7878C5F76074FE907F00902CC6585,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:25.660{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56106-false10.0.1.12-8000- 23542300x800000000000000084856Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:29.639{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BEFEB57C1FB23873D01F54C54117D9,SHA256=379E103DF81E2DB1DA8E146585ACDFAA2E08F5F5C4F7D822CCACD2DB21251DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:29.684{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322E3492EA7C95127DF2F8D8E7435F82,SHA256=D4342B44F1A8DA0198C26D03D8906421423C0D779F9AAA37AC157CC4D466F85B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084857Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:30.654{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED0E879F3DB4C1661C93F7733FC2BE2,SHA256=1E6C165CFC01ED9D28879E23B8E237671AC91B54408C705D52E51F41F297C075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:30.684{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178F43C149D323A3ECC462D5C16017DE,SHA256=F2927523270A374E85B073870A991C47BB1EAE6FAB797411BEA4B58F708F584F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084859Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:31.654{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA22E3ED85300AA16A65FE37CC7F563,SHA256=0A414F2512C3B02DA7E2BFBE19B3036F92DA9CA123EE3C1A215E796CBE81526E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:31.731{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2A10D090F2AD39B5A3E79DDACD5D8C,SHA256=7594118D7CA6A4397A9BF93519B8D7B5A46172824D3737D6450FF49A07E23755,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084858Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:28.617{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50599-false10.0.1.12-8000- 23542300x8000000000000000104607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:32.731{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB62670058404C3A2C0C4DD323816F7C,SHA256=1C2FD871114E7027E7D76DFD6D30F3027C34E2210B854B85689AFCC19B2F1467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084860Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:32.670{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9440F697F66638EB3DD908013AE5197,SHA256=CD1E5AFFE6CCA35076B232344D41C128067C9A0811DA57EF8D1302808826FBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084874Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.685{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D841EABBB0C8BA5455036EDC2F615E,SHA256=90D87172900DF775B14BFFE4BCBBA5984A6B44E710EEA8A13E7D922BD0063AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:33.762{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D26E4168699AF1C371ECAFAA2D3664,SHA256=98932031F8C25D240E25719E69C4C17E7ADA8C897A22A06287F1814201F1EA0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:30.676{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56107-false10.0.1.12-8000- 10341000x800000000000000084873Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D025-616F-8F02-000000000602}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084872Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084871Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084870Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084869Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084868Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084867Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084866Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084865Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084864Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084863Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-D025-616F-8F02-000000000602}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084862Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.154{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D025-616F-8F02-000000000602}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084861Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.156{6F8252D3-D025-616F-8F02-000000000602}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084890Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D026-616F-9002-000000000602}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084889Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084888Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084887Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084886Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084885Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084884Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084883Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084882Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-D026-616F-9002-000000000602}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084881Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084880Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084879Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.748{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D026-616F-9002-000000000602}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084878Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.749{6F8252D3-D026-616F-9002-000000000602}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084877Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.685{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C98325A514B6F94ABDA3626CEBB879,SHA256=5735C4F76F8B8C031EE2B2442C02022EBE049C15A0AF5F6911F0521ABE8351EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:34.762{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094E50E5EC67F21367C1B3F812FC066E,SHA256=16C0B5413F52ADE36D2FCDE888793027C1714F2A8C881F4B06C5D956F6AF46F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084876Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ECF9DA941C1BB28EE8ABA53102F1DF2,SHA256=4AEA264614C0D7E5E61C216A41D83D6803FF68853B79EBC92DC60235F338DAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084875Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:34.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43CA20670E27E22C9EDE889ADDCA4348,SHA256=05485C46E2892E79961DE44B7EC7A7C243BA51E608616006862F1EA848B36DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084907Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.920{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF73486D9024186B4667150D0ACA2303,SHA256=2C8CB3B2B365D650D3F4F1EC446C30317FC7C91C5097D8FB789AB917DF92809C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084906Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.920{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ECF9DA941C1BB28EE8ABA53102F1DF2,SHA256=4AEA264614C0D7E5E61C216A41D83D6803FF68853B79EBC92DC60235F338DAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:35.778{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F253510DCCAF95F05D500A471680F755,SHA256=0D107466368A62AC027A30D2F6C88262669D0086CF8556847F6DAB533F0B48E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084905Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:33.742{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50600-false10.0.1.12-8000- 10341000x800000000000000084904Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.467{6F8252D3-D027-616F-9102-000000000602}7161032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084903Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D027-616F-9102-000000000602}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084902Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084901Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084900Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084899Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084898Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084897Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084896Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084895Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084894Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084893Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-D027-616F-9102-000000000602}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084892Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.248{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D027-616F-9102-000000000602}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084891Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:35.249{6F8252D3-D027-616F-9102-000000000602}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084908Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:36.941{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E98069DE4138401CE64A19BD762AA7,SHA256=4E2E83C6CDA3CD036B607EACEF84428CE718D265C3DD532AAC378E619E3E3B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:36.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F62DCA14C5927DACF1EB919A34295,SHA256=F6DEFCBA13853995A72293E3B0ADC3F68DBBD283D4B2F565A28E634B3E9EBEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:37.809{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4338B4F6C0F9E7A48119D826C225965A,SHA256=925EC61ACD2D407D83B01453ADCBCB659EB668F3D03AFFC796AB87106DEC41AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084936Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.754{6F8252D3-D029-616F-9302-000000000602}15681940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084935Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D029-616F-9302-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084934Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084933Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084932Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084931Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084930Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084929Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084928Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084927Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084926Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084925Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-D029-616F-9302-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084924Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.534{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D029-616F-9302-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084923Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.535{6F8252D3-D029-616F-9302-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084922Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.363{6F8252D3-D029-616F-9202-000000000602}30004068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084921Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D029-616F-9202-000000000602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084920Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084919Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084918Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084917Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084916Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084915Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084914Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084913Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084912Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084911Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-D029-616F-9202-000000000602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084910Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.034{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D029-616F-9202-000000000602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084909Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:37.036{6F8252D3-D029-616F-9202-000000000602}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084952Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.363{6F8252D3-D02A-616F-9402-000000000602}23841944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084951Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA68BEFCE4F5DF339331BC9E56F0BAC,SHA256=591A78F83149D6BA458268D2AB63C57427AFA38E1F4C4E77E30B2E3F87888F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084950Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95C396F9560A93C6DC6D002F08385793,SHA256=D07663494F9B97E89B04868DA3FC8A6C189C5F73DD0D074B5B383140232D30B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084949Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084948Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084947Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000104614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:35.676{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56108-false10.0.1.12-8000- 10341000x800000000000000084946Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084945Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084944Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084943Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084942Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D02A-616F-9402-000000000602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084941Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084940Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084939Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D02A-616F-9402-000000000602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084938Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.035{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D02A-616F-9402-000000000602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084937Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:38.036{6F8252D3-D02A-616F-9402-000000000602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084967Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D02B-616F-9502-000000000602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084966Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084965Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084964Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084963Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084962Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084961Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084960Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084959Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084958Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084957Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D02B-616F-9502-000000000602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084956Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D02B-616F-9502-000000000602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084955Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.613{6F8252D3-D02B-616F-9502-000000000602}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084954Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.269{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8A33AF207DA34A1D5131B874EF766EE,SHA256=0A769CAEB108EF4478AB723D299F6566CD3DF6F9BFDD1B4B28A8517A649CB9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084953Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.175{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90321749EF92AFD333CF5FEC6ADC921A,SHA256=E7E3704EE8B842ED7CF62D29A6F3122D70B7D19C6EE35CB8BCB0018C9BAF4F87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:39.935{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:39.935{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:39.935{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:39.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0EE95DB574A4905FD5C33920F4DA15,SHA256=25B61124F0E9F91257867037625725FDE72CA47E5D99412AE84644AEF9379CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084969Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:40.628{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D32FDAB8C4860F129B6E7D4EA23A9FDD,SHA256=F032860EA31B6D93575FC22B42B96CF8CB95B21356DD98ED95FAE33065E11C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084968Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:40.284{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2F83E4F4ED66764E4F181873690C6B,SHA256=8EC0AC05626D3B0AC67020D717815BCF742AA2404E6BD53A53D93F24E9E2C576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:40.044{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC799D8A505C644AA2D34EE5A229147C,SHA256=4F37D6B0CBF0833A44579B84856F360E1F2AFCD9E89F2E9A319521D692E97E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084971Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:39.716{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50601-false10.0.1.12-8000- 23542300x800000000000000084970Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:41.331{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A6AAD4A7340FD1C32A61C1B9FDE6C4,SHA256=44BE3A4F30A1338715DFEC506E00FBFDD960CFB421D1DAD9E0FEEC6537A638D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:41.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD7DD0FBE9CD38BDDFF70839D11E2AB,SHA256=900FD32B9D9366E9D6EB8005409CD7D95F638DFBF25DD4175F8CC4F5FD4A6527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084972Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:42.363{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21DEE34E4AA394AE782F8BE8C2C77CA,SHA256=E6DD9154F0AFB2C9964F106EFBAE7275EE4D2A416F1F9D28A6A7026D57038D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:42.122{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42913ECD6F464ECE0464B369525428D,SHA256=07ED97A5568D28DC648BC421433A0F8EB5186E5000DDF0CE357A78FA05DF7495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084973Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:43.409{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BF5B6227A647F8892C180112F195DA,SHA256=054EE38E61A5427A262BA41E15794F81813DFD0C17447FA008F7D97E4AD3C3D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:41.645{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56109-false10.0.1.12-8000- 23542300x8000000000000000104622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:43.138{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCC49B9AAE583F7FBF21669633BB066,SHA256=95380D57CB47EEE119F0B743CDCBA0936658B04B3AA95714ECE1747DFA0A9D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084974Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:44.425{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AAE279A64B077B7554F60EAA5A8662,SHA256=EAE231499F1CE9A3D98B0E184C978CB11EB6D307124CBDD51056B15767879A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:44.247{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BE83043029EB2E7F6CF5A984613994,SHA256=B72080ADAE395AB36E81E1F1CDF01DB0C3188879FD43D8F86A755C2AB00221C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084975Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:45.472{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F586A8F3C67ECE1C3C2D46E613136C45,SHA256=0A0B1CA5BA00D3350973E418A3C2DA980FD303E7F5B4CBB6496002E0677BBF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:45.247{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0677249BA38D62B32274A16E04C99F,SHA256=1E2F0AB937A4354F9CB2C0637C83E46BB7A8F736C93659D3C84600CD0447DCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084976Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:46.487{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B133710D2105DDBC950A48130A4448,SHA256=A8AD59FDFD6083BB4F2DA77ADC273E456CE240347AF97C68DEF38E70A42DA25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:46.247{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DFC5FAEBB014BD560219A3C8CDE0B0,SHA256=889A2429D3230B39708F361BDE67324A4F2BF421960AC64B700B1241DE945164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084977Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:47.503{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2D717B042E19D89F0B04D8B2ED993A,SHA256=4B6A11B01F3F3FFEC9D4AAC83EB968FEF9D4748267470A283E23B9955CC37E0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.825{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.825{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.825{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.794{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.778{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.747{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.716{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.716{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.622{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.591{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.560{8D4DD44E-BF3B-616F-1400-000000000502}11041400C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.544{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.544{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.544{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.544{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.544{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.544{8D4DD44E-C6A3-616F-9001-000000000502}45322476C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9ab4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175750|C:\Windows\System32\SHELL32.dll+16d62c|C:\Windows\System32\SHELL32.dll+19e808|C:\Windows\System32\SHELL32.dll+16d7c6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000104628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.551{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000104627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:47.278{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E8919FB94B40AF84F9EC1C38437A8A,SHA256=9FA0A83A2A30044D68F988F21B98291ADCC75ADD654F289F38AA0018FB454210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084979Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:48.566{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87B34D3085EF1FC0DED1694D1620390,SHA256=FE404E854E1141891ADDBF97D289BDB2E12910693F74378E18E086866AEE6DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:48.653{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35672A2FE4222C163A631FEC965282E9,SHA256=D10811A827F5F76808D8B183D42261F7911A296FBED47DADA516FBFC1B27DCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:48.653{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17FA3435447A1109FA133078DC3FE17B,SHA256=CDBC4E1DFD7BD34D367A3B8D31D6CAA2EDEFAFA66F7E95AE248AA38A792A19DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:46.677{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56110-false10.0.1.12-8000- 23542300x8000000000000000104653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:48.294{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FD6F1AAA32C58BB9FA68888C70736C,SHA256=8B89D5C67DA65D6B8AC301CE4DE5EFC0D07F6965C29F21DBD316DB98282FEC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084978Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:45.642{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50602-false10.0.1.12-8000- 23542300x800000000000000084980Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:49.816{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCDD5D948D09948C222EA320AAC4575,SHA256=69EE7626AECC478A72C2FBD15E088390F6C837CD3EF20D56CA3070EA6D091040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.794{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D035-616F-CE02-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.794{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-D035-616F-CE02-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.794{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D035-616F-CE02-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.795{8D4DD44E-D035-616F-CE02-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.325{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB255254C180B6676CABB74C7329FC9,SHA256=ECC005E1D5556E6FE54CB5563BBFFC35456F36ED1A172B5A70C30771F24A54B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084981Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:50.894{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B07501E2A3B69CE9BC3DF47843DDF8,SHA256=5060F70245F43BB400A40403E75D9B61D69B174ED46269E4D85ADB68804C0140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.810{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35672A2FE4222C163A631FEC965282E9,SHA256=D10811A827F5F76808D8B183D42261F7911A296FBED47DADA516FBFC1B27DCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.528{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B058780BFAD0E0393D844DC73930E276,SHA256=890344F31011488179E31AC269BCFECEAF501CBBFDEAC104A80AD92685AB5C6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.466{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D036-616F-CF02-000000000502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.466{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D036-616F-CF02-000000000502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.466{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D036-616F-CF02-000000000502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.467{8D4DD44E-D036-616F-CF02-000000000502}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:49.997{8D4DD44E-D035-616F-CE02-000000000502}31162416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084982Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:51.925{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14ADC8C6D91EB83FADC305345F0BF54A,SHA256=031C0E2A4536BD1222CFBAD0564B0C51E6FE46C42CAF7E4A6510F4CABB8B38AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D037-616F-D502-000000000502}2544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D037-616F-D502-000000000502}2544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.994{8D4DD44E-D037-616F-D502-000000000502}2544C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x8000000000000000104721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-20 08:15:51.981{8D4DD44E-D037-616F-D402-000000000502}3732C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\WdNisSvc\StartDWORD (0x00000004) 10341000x8000000000000000104720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-D037-616F-D402-000000000502}3732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D037-616F-D402-000000000502}3732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.981{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D037-616F-D402-000000000502}3732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.986{8D4DD44E-D037-616F-D402-000000000502}3732C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x8000000000000000104712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-20 08:15:51.966{8D4DD44E-D037-616F-D302-000000000502}1688C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\WdNisDrv\StartDWORD (0x00000004) 10341000x8000000000000000104711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.966{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-D037-616F-D302-000000000502}1688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.966{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D037-616F-D302-000000000502}1688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.966{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D037-616F-D302-000000000502}1688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.972{8D4DD44E-D037-616F-D302-000000000502}1688C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x8000000000000000104703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-20 08:15:51.966{8D4DD44E-D037-616F-D202-000000000502}4348C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\WdFilter\StartDWORD (0x00000004) 10341000x8000000000000000104702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-D037-616F-D202-000000000502}4348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D037-616F-D202-000000000502}4348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D037-616F-D202-000000000502}4348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.961{8D4DD44E-D037-616F-D202-000000000502}4348C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x8000000000000000104694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-20 08:15:51.950{8D4DD44E-D037-616F-D102-000000000502}1072C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\WdBoot\StartDWORD (0x00000004) 10341000x8000000000000000104693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-D037-616F-D102-000000000502}1072C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D037-616F-D102-000000000502}1072C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D037-616F-D102-000000000502}1072C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.950{8D4DD44E-D037-616F-D102-000000000502}1072C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000104685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.528{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD8B5EB082C6DE67AF21BAE49E28A19,SHA256=B7B73D3BB905DFE0DBE55879CBF093FC3E8CF9902343F1CD088C4D4BCDAB750E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.091{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D037-616F-D002-000000000502}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.091{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-D037-616F-D002-000000000502}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.091{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D037-616F-D002-000000000502}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.092{8D4DD44E-D037-616F-D002-000000000502}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000084985Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:15:52.987{6F8252D3-BF39-616F-1100-000000000602}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c58a-0xb2fe2fc4) 23542300x800000000000000084984Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:52.941{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB496119549884953DBCDEF5F384F12,SHA256=0FA86C37251DFC857ABEB9E7978897B370B8CE4648C6D637B83165AEF1542EA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084983Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:50.653{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50603-false10.0.1.12-8000- 10341000x8000000000000000105066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.919{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.919{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.919{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.919{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.919{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.919{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.903{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.872{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.872{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.872{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.856{8D4DD44E-BF3C-616F-1600-000000000502}12921680C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.856{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.841{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.841{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.841{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.841{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.841{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.778{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.778{8D4DD44E-BF3C-616F-1600-000000000502}12921680C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.778{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.778{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.778{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.763{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.747{8D4DD44E-BF3C-616F-1600-000000000502}12924788C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.732{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.732{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.732{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.732{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.732{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.732{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000105036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.489{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56111-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000105035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:50.489{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56111-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x8000000000000000105034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.716{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.716{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.700{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.700{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.700{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.700{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.700{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.700{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.700{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.669{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.653{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.653{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E5F5DC689E45A2EE03400B8EA62AD5,SHA256=9B040E813C18A0BCBFDF65AF4D8E8DCD1193FAE1B6FC62D9081898553AA42362,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.653{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.622{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.622{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.622{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.622{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.622{8D4DD44E-BF3C-616F-1600-000000000502}12921808C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.622{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.606{8D4DD44E-BF3C-616F-1600-000000000502}12921808C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.606{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.606{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.606{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.606{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.606{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.575{8D4DD44E-D038-616F-F602-000000000502}22842364C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.513{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.513{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.513{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.481{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.466{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.466{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.466{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.450{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.450{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.450{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.450{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.450{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF8BD55BF34B726ABFD34BEC8592FCB,SHA256=66A86A0DF48D36BDD284A8142CE863E9AA124117375E1E958D0103C916F6E787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.450{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D037-616F-D402-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.450{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D037-616F-D402-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.459{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="ESET File Security" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.435{8D4DD44E-D038-616F-F402-000000000502}10721688C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.419{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.419{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.419{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.419{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.419{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.419{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.415{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Symantec Backup Exec Remote Agent for Windows" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.403{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-D038-616F-F202-000000000502}19204576C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.388{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.378{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="McAfee SiteAdvisor Enterprise" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.372{8D4DD44E-D038-616F-F002-000000000502}42403740C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA03285566C535F2712BF814CCB509E,SHA256=6E1930C15C00F3C590C31C05DF45D7EC246A511D7F5259756B70325D1CC0FB0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.356{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.350{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Sophos Remote Management System" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-D038-616F-EE02-000000000502}48242976C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.341{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.325{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.325{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.325{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.325{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.320{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Sophos AutoUpdate" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-D038-616F-EC02-000000000502}44441552C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.310{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000104882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94D459C8C469EEDF694BF0FF83712A1,SHA256=FCF5EAAF5A69ACCFCCF0A872B276CC4528A9C8EB48C095D497768C996E0F057C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.294{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.290{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Sophos System Protection" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.278{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.263{8D4DD44E-D038-616F-EA02-000000000502}43162880C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.263{8D4DD44E-D038-616F-E702-000000000502}38801132C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.263{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.263{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.263{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.263{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.263{8D4DD44E-D038-616F-E902-000000000502}32324704C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.247{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ACF88A117BB587BEF9F93396F5ECD19,SHA256=3F0C7E3D71D02B46E5DB41E08C6BDD0329A237A1E8CB425D34047526B78438DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.247{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-EA02-000000000502}4316C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.247{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E902-000000000502}3232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.241{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Malwarebytes' Managed Client" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.236{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Microsoft Security Client" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-D038-616F-E402-000000000502}33922584C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.231{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="McAfee Endpoint Security Threat Prevention" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.216{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.216{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.216{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.216{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C6D6E6A7F76991C67FF2AD7FED3250,SHA256=AA6FB855676C6BE948D84E7E7B3BF3D24579A1F041658B5FD0ED7EA774BA7756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.200{8D4DD44E-D038-616F-E202-000000000502}39164676C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.185{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.193{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="McAfee Endpoint Security Platform" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.153{8D4DD44E-D038-616F-E102-000000000502}1900100C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.153{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.153{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E202-000000000502}3916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.153{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.138{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E102-000000000502}1900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.138{8D4DD44E-D038-616F-DE02-000000000502}38604964C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.138{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.136{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="McAfee DLP Endpoint" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.128{8D4DD44E-D038-616F-DF02-000000000502}4340C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="McAfee Agent" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.122{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-D038-616F-DC02-000000000502}23921668C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-DE02-000000000502}3860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-DC02-000000000502}2392C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.106{8D4DD44E-D038-616F-DD02-000000000502}3904C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="McAfee VirusScan Enterprise" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.094{8D4DD44E-D038-616F-DB02-000000000502}3700C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="AVG 2015" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-D038-616F-D902-000000000502}13044620C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.091{8D4DD44E-D038-616F-DA02-000000000502}13401428C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-DA02-000000000502}1340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-D902-000000000502}1304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.028{8D4DD44E-D038-616F-D802-000000000502}908C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Symantec Endpoint Protection" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000104747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.013{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.013{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.013{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.013{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.013{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.013{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.021{8D4DD44E-D038-616F-D702-000000000502}4864C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic product where name="Webroot SecureAnywhere" call uninstall /nointeractiveC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x8000000000000000104740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-20 08:15:52.013{8D4DD44E-D038-616F-D602-000000000502}372C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\SecurityHealthService\StartDWORD (0x00000004) 10341000x8000000000000000104739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-D602-000000000502}372C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-D602-000000000502}372C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-D038-616F-D602-000000000502}372C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.007{8D4DD44E-D038-616F-D602-000000000502}372C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x8000000000000000104731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1031,T1050SetValue2021-10-20 08:15:51.997{8D4DD44E-D037-616F-D502-000000000502}2544C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\WinDefend\StartDWORD (0x00000004) 23542300x8000000000000000104730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8BF3ACBFF799DE5EC5AA98B14E566D,SHA256=BCCBAFA754599735E9A9FB3D5FC8FE48F5BFC4D16B4CB4FCBEA054C005348B6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:51.997{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-D037-616F-D502-000000000502}2544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084986Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:53.956{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD21B31439492F2E426C031F43EABA1,SHA256=015A25D64717F27451CCDDDF9003E6CCDA635DC343ACC953447337D4568969A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.935{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E704640900184389CBF5B0CCD029EF93,SHA256=22A139AF0753186E1AA036E7CF50D4CE0262D41491ECC337A5B2D061A74D20BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.872{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F2F15F066F237DDD6A129177E05839A3,SHA256=310F813E04B0908A3963412E4703A8A736EAB2DE7D6D3F729815C5B467CEE513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.825{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1B6D3B0777A7700A23342CBCADE73BA0,SHA256=00AD499C38812DB31C0EBA5A9CF4255A4BC215DA79E153F022D43D1C60A3A4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F4187F49B463C6AAD3B02F403D8BF3AA,SHA256=A645DEFB033C1479E2A819889AB2F482307D6AAEA13F7D570D7C8719A5C3B1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.685{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=136643211E44BB95972536CD8C43F93D,SHA256=DAA45793C2E9AB821F82F7C2C281296E4832FC76A2D4497323DDA0E9FE504C30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.606{8D4DD44E-D039-616F-FA02-000000000502}57605764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.606{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46ABAD173BF9DEC154E6434AEC0CF087,SHA256=3628607BEF623FAC346B22D9A25E28DEDD889568F25227A2779EF138BC54C1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.606{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670F641A3CE58AE3B68BC12CAAA982DF,SHA256=E98A69AA75E3D9A2D0D226BBFB795D1492FB32B6012152678725CF818B76D3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.544{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46ABAD173BF9DEC154E6434AEC0CF087,SHA256=3628607BEF623FAC346B22D9A25E28DEDD889568F25227A2779EF138BC54C1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.544{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D38AEF46C41642D0D2D651B5D9F8122,SHA256=25F892D0C66597CDE2EBE56E061CA38BA49087F2D0ECEECDECA3E41D9C3D27BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA09F82914462529CE19DCC9D19F580,SHA256=B84EE79AFD56ED30B44A2B0E012E55F82462005E4C60C62453AE6DA50138AC85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.466{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D039-616F-FA02-000000000502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.466{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D039-616F-FA02-000000000502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.466{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D039-616F-FA02-000000000502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.467{8D4DD44E-D039-616F-FA02-000000000502}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.278{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520039C8D789EDD611DEF5851C406DAD,SHA256=AB077769F4BE3C2283F9EF63ECBACA09226194F510362294D04241B811D9A26A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.247{8D4DD44E-D038-616F-F802-000000000502}52485252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.232{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D039-616F-F902-000000000502}5620C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.232{8D4DD44E-BF39-616F-0A00-000000000502}6243356C:\Windows\system32\services.exe{8D4DD44E-D039-616F-F902-000000000502}5620C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.232{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB63165A45E32865D71FF379C0C9B274,SHA256=5BEF05AD409049509F1B85DDFC7B35EF8B32377091F3FCD89FAD38B841F95075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.232{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA4775C699B17FFA0DA14DA6329BCC60,SHA256=3B8C08EC5B3947489F43B78F9E81D0863D9AFD1F0F10077577C5C2ED3060614D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.200{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.200{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.200{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.200{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.200{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D039-616F-F902-000000000502}5620C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.200{8D4DD44E-BF39-616F-0A00-000000000502}624600C:\Windows\system32\services.exe{8D4DD44E-D039-616F-F902-000000000502}5620C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.199{8D4DD44E-D039-616F-F902-000000000502}5620C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000105184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.185{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF3C-616F-1600-000000000502}12925552C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF3C-616F-1600-000000000502}12925552C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.169{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F502-000000000502}3732C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.153{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF3C-616F-1600-000000000502}12925224C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF3C-616F-1600-000000000502}12925224C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.138{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.122{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.122{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.122{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.122{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.107{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.107{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.107{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.107{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.107{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-D038-616F-F702-000000000502}1480NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8CA5E7C4EB75E740367131747417F74BEA0896D1MD5=C4C57F7FD53279BB9527DA4521DDC448,SHA256=D586D3B349E958308BE2D978F8968DC6FA29656C174EC7DB9A33B30F9F2AC2DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-BF3C-616F-1600-000000000502}12925224C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-BF3C-616F-1600-000000000502}12925224C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.091{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.075{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.075{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.075{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.075{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF3C-616F-1600-000000000502}12925224C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E802-000000000502}2468C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.060{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.045{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.045{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.045{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.045{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.028{8D4DD44E-D038-616F-F702-000000000502}1480NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8CA5E7C4EB75E740367131747417F74BEA0896D1MD5=48C99F62A52806DB8AB1EDD007A71696,SHA256=37E034696F8FCDE79C6C626F25229CC371BABA32D31644527EA16105832641DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.028{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.028{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.028{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:53.028{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F602-000000000502}2284C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.997{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.997{8D4DD44E-C6A2-616F-8A01-000000000502}21284192C:\Windows\system32\taskhostw.exe{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.997{8D4DD44E-BF3C-616F-1600-000000000502}12925224C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.997{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.981{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.981{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.981{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.981{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.966{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D038-616F-F802-000000000502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.966{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.966{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.966{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.966{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D038-616F-F802-000000000502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.966{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D038-616F-F802-000000000502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.967{8D4DD44E-D038-616F-F802-000000000502}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000105072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.950{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.950{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.950{8D4DD44E-BF3B-616F-1400-000000000502}11041396C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.950{8D4DD44E-C6A3-616F-9001-000000000502}45324852C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E602-000000000502}4960C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.935{8D4DD44E-BF3C-616F-1600-000000000502}12925224C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.935{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-D038-616F-E002-000000000502}2956C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084989Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:54.987{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5949D522351D04B48F18ACAD061AF9B,SHA256=A59F8B5A7959224F99F8BD2446FFF1AC1036BC598E8F2C27C852AFFAB13758AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.586{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56112-false10.0.1.12-8000- 354300x8000000000000000105243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.567{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-185.attackrange.local123ntpfalse10.0.1.15-123ntp 23542300x8000000000000000105242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.732{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=050C127A54B23E8FC1E2731497A50CA5,SHA256=3B4EBC48A8456B5E72F5A13FED5695A893454C1F2B6D22BB9041798871103716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.669{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C40F43602539791DE4415741D65C64,SHA256=8A57C74FD82E1043591BE54E10CE22210A448231426DA81703BA66B187C0A502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.653{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9C146C8DDE0E8377B01914313BE5D9C8,SHA256=C2A33740C8D4748679E8A22397F9D6C6743C91CF85DEC853321B2FAE16EE755E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084988Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:52.528{6F8252D3-BF39-616F-1100-000000000602}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-470.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000084987Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:52.528{6F8252D3-BF39-616F-1100-000000000602}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-470.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x8000000000000000105239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.607{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6AD9854AB5167F3C341810D11175CE5C,SHA256=11E3385697343F1D29D5C09E3188F87FA97C97EE9CBD1FD433BBAB6737AC0FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B1ADF660D9D72EF9FF54D108ADEDA5A,SHA256=C1EDFE6165208726A36213015D8CE54BF4FC7CDAEFC2F38889614F7938FC0A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.528{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E220D66B88E810F0997C216464BB84CA,SHA256=D8E6F743EA05DF5DAE6C042FCDCEF8CED88DCC156C240D13589591D7FEFAEABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.450{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8C6E9FC9CEF85C5AD2611A6F721C94BC,SHA256=FCC2591D89650797452353248FF98509B9B655726AF170F314454A19F0DBA960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.372{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4FC597D43A6AAFD6A8A6CCD9F464CD9E,SHA256=EB8B51F56D998969512574B0AA54A60436C39129A2661F605298DF4EF16411A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.294{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29DAAB974B041C139FBC00EB53DBEFD7,SHA256=8178542B198BCF291F78164B2B497D3CB0BDE6ABE6A5ED550C2006C8C9F3245D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.263{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2C4BD12FE99122FB38EE674864E5CF2A,SHA256=45F9808FD799479AFD393AE6ADC0278EBE84BF050F237803C403260DEE46B2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.247{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=34FEC5238552222AEFC1273F6D26570B,SHA256=6C22D2F698150E1E631FF88D8E11F7009CB9BBA654A53075B027FD63669CF750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.247{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3C6801ED63B906A99B3B7AACF01A0713,SHA256=3BC9A037555D904AB58ACC2EE93B165786A5F0FCFD17E6E0D59385372FEDC983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.216{8D4DD44E-D03A-616F-FB02-000000000502}59365940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.185{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418BE0D06B4DCD9532D189129055CB6A,SHA256=C6598143310C5C8DB69ADEF4366700727C314A0D4EA5EEF2095566642C2C0917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.169{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=79E34DF9EFA12F50892441FB8D492208,SHA256=2630EA398C11125EB068C6A29FD127D73B48E402C57CAC766F34D1A1157D8D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=58F32A2F90D98FDE51BC8548A9386947,SHA256=0757E352E1236BAB5DDBB0E174619F40C564B597BBFA279701BB6857AB5E882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1E3CD41CAA8D885A4472044FAB673191,SHA256=1F549623D8F0DC211877872856B6CBEE857395AD3255C117126008268F2A2A9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D03A-616F-FB02-000000000502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-D03A-616F-FB02-000000000502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.044{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D03A-616F-FB02-000000000502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.045{8D4DD44E-D03A-616F-FB02-000000000502}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:54.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=27769D9E8CD6F16FE99E3C7C12CF8F1A,SHA256=9DBBFB8FA34380CC448212724D9207AFC22D3FF5F91EC4B531E1B7C242061B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.950{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F4B60AAEA59B2CDD456E51AC5EEFE0F3,SHA256=333A66105AEE5B9E08005466CC04CEDBE418E7B511044862EBD46568A3BD8BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.669{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE9B1816B77C77AEEA97BB7C0C08C74,SHA256=A3FC1E0E10BF2DFA3598CD31098C68B64B75BC64DAEA120A34072E5E895EA235,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.513{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.513{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.513{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F302-000000000502}4124C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.497{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.497{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.497{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.497{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F402-000000000502}1072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.388{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D03B-616F-FC02-000000000502}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.388{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-D03B-616F-FC02-000000000502}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.388{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D03B-616F-FC02-000000000502}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.389{8D4DD44E-D03B-616F-FC02-000000000502}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:55.341{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3B973577F5AAE3C8F88D3CAD2E2031DE,SHA256=C34AEBD178EEFAB9353E8DF9B72BC1B9017B94D1A338D73E5E77D512831C2AD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.689{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.689{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.689{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EF02-000000000502}2472C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.674{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.674{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.674{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.674{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F002-000000000502}4240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.674{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA691D204A0CFD1AFD91A1CB56DDACBB,SHA256=9FFE524A8439F9293A8AB3C82851028BBE8750CACE0A3F096515A6A7220946B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084990Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:56.008{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C7A434605C60F909B79EE498F0070B,SHA256=CCDF28D064B7F935DD9B0BE61889217ADACA355506AD108FA3133B3A8F62EB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.580{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F87222CE8FE149373C03AAC5E855E1CA,SHA256=0A7BF0E73468AC21BED60E891D823393038CFD400FCF695ABAF55AE06F2A303E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:52.665{8D4DD44E-D038-616F-F702-000000000502}1480<unknown process>NT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56113-false93.184.220.29-80http 10341000x8000000000000000105274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.564{8D4DD44E-BF48-616F-2800-000000000502}29323084C:\Windows\sysmon64.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.564{8D4DD44E-BF48-616F-2800-000000000502}29323084C:\Windows\sysmon64.exe{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4F47B19EF5AE4C3A5D98F6EB9928B119,SHA256=2A8FCB455D5DD785E792C575FE69A7538837A402CCFC5E3A0FBFE1BFE072C348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=443B453620B2846EAD82780D471DC4E5,SHA256=6A6158EAD3330EC9B826496048A390FD9E0CCB6D257D70708B244273B1F2ED65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.143{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.143{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.143{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F102-000000000502}1548C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.127{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.127{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.127{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.127{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-F202-000000000502}1920C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:56.080{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4365D02574B09940097FEA4231727997,SHA256=769A10F2BA08633298246FF29BB994F2AA816525B0A9D7A2DA8C515DEA9420E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.939{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9B54F76A228036BD140BB7180751E99C,SHA256=A2974197F7AACFBB7F6196D8DFDEFC59B945EDFEFC10CD63877D72327FC70306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.924{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.924{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.924{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.924{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.924{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.924{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.924{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.830{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.830{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.830{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EB02-000000000502}4556C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.830{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.830{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.814{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.814{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EC02-000000000502}4444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.736{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76EFED39C1A8F84A6ADC6301A513A4F,SHA256=DB6901E7A925CC3B2840C3E6B5B15A31D86D30CB89A0A8E094BEDE8F29BD3356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084991Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:57.040{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C0BA3399643E4E9EDD414D2812A71C,SHA256=110F83300FDA63043C851DF1F6E6ECE127C4D5FD9C88CE56FE4E5DCAE43507F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.517{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4FC2EB480A8D59ED3AD8575A26E62CD2,SHA256=5E6C55D9B61DE1770B49E64E47727CF6C172C2C94DD11CA4EC82B7017B0FA676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.127{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11ABCF0C27C1CFEF0C4EC661365B2EC8,SHA256=4C7CF7E00E41FBCF4BC5131488739BB5C3EB060BE9AC12B6672FF232FA398C24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.064{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.064{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.064{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-ED02-000000000502}216C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.049{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.049{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.049{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.049{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-EE02-000000000502}4824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.033{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DB81523328AD4CC6362400E3C015EDE4,SHA256=4E6768B6A8E5FBB243666A552BA977EEB2852029141CF0C8CAF14045819198BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:58.908{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0D314B7D10C78C7117A6C64DBFA20AC1,SHA256=813F49FB77A984B939C1B33D51FA173275E544A0CF7604C7CACC8374B6355D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:58.752{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C93F81FDD6B98795A05B676A8475E8,SHA256=F119F077CB39CF68D48A6BEE822F9E9169E2197AEDEDF562F5C24B50173E3F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084992Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:58.055{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0993070951521E1CC2E2A7F33EB7EC9,SHA256=98201109FD1F143081DB1784FE6D68B6A21F2A05FC24549084EFA587533F8FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:58.471{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EFF55881F40E3D9ED2D54DAA16A44487,SHA256=1749A2C132A9A17B44F9FD9B895ECC0448C6749B096C2DFF4FECE8402B01E297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:58.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EDF7BC6D19FE972777547E4786D41049,SHA256=BF219959ABF9DB72ED71C5F50B7ADEC5E03766F06DECAB3421CE1EF2599AB666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:58.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=018C0845411B54886E8C88D70B3725B5,SHA256=04CA51D6C6E861611A4AF1E3F0E4BCE1FD31FB6040B04443F5E637C454E8375A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:58.361{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=89A54EAD7F4A867ADE5FF307F108A540,SHA256=CD77DFB6C1597F92F4B1A800EEA40F91A3A3DA88347E3E5B5BE7177F46BD62F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:57.666{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56114-false10.0.1.12-8000- 23542300x8000000000000000105317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:59.877{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3F425B34DAA5DB0BACFFE48EAFD5A3,SHA256=11FEEA18F46ADA10AA0E41C0F0FF748335F3B96EDB9C543184B2501BC7DFEEDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084994Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:55.690{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50604-false10.0.1.12-8000- 23542300x800000000000000084993Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:15:59.071{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8988A76D10107AE6B5D221014EDE7B42,SHA256=2D0211F0767184412A218C8E9DB297128F6A0F9CBEFCCA80328620683598A166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:00.909{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CA816ADC622B48520D16277EF2BA26,SHA256=0B71E8331A970543E727FB686725AD4EB9BCDAB682D57CCF4B76E1B03A440BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084995Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:00.133{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9525F1A68E297558892C513A1EF33500,SHA256=D69FD84581620E37A0850F6464E5D3A95F12D8D51A78BC46455AC36185DB678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:00.346{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96124EB4D4E715AFAB5D427A3FC275ED,SHA256=81F1CCDD64F1B946F5113EF92AE1ED7DA1FE65849FD0607848645D2BAE80EB08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:15:59.635{8D4DD44E-D038-616F-F702-000000000502}1480C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56115-false93.184.220.29-80http 23542300x8000000000000000105330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.939{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0CC26524A52A6F9473735157C7D0E7D0,SHA256=F9F97EF3AABC9FCB287AD79CCA80EDC058634235F1292F2A4CAD5D6E3CD9AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73614131FBD86EDC4DB89F71BDB51B28,SHA256=FC94C12DA2047E6D50EB9D816D177C7053FAE2DAD32C2443321BFCEC393A6FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084996Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:01.149{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159711993E70BD4E380CFF2F36573780,SHA256=E6DB5B4AA0DB7919AAAF680C824A9CCEFA55A6C481D6AD969BABA33B1FD0237B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=362BCF10871E4CBA2F4320D71DB3DABC,SHA256=09DAC1DCB23379D2427F85E713A48EFD4994726DABA4C9AC99E23E6B9AFA9F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.455{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=33C95C006466EAAA03A9669ADD66C027,SHA256=8998E56BA856B9DDFD82EB95D10324065A8BA184E2FD925C10801710B8E09F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E0900B953188DC1B50A0ABAD112743AC,SHA256=2C7992E767323AD6DB85F741D6AA66BBBC574C807791264F1632DB75BF238BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.377{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=669F73D7A14F64470157B455DC76965A,SHA256=DAE3A94B3154BB24583C082C2DCEE0A1E96BAEF92E68199F353D42FE8D66B0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=619347BF0F495818FC5CFEBFF11C8BEA,SHA256=DA3919BC684E8B58E44FBEFC7C62A112FC7985373149EC64352DB1EB99ADEC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=07EBDCF36AB484D9A5F5CA5C1799D363,SHA256=CC8D794A177B05EB05924E8BD6EB12F1FDAEB9C28FCAAF0F576BC9B0E1D4A98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.221{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FFB95B51D020A102DD3B9CC10000BBF3,SHA256=1E0C200DDDF09F4CEDDD046CC792B013628F6DA551AF8F43D498E271A11B1719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.174{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=32F3C2D149E7A5FE1FE89C8C13B85A63,SHA256=311CDD44632771C55920B0E44A3A55F548254B0781C271F74C5F1064C8CF8D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:02.971{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C07A77C2C2ACD8524CE92A8A5BD0D0BF,SHA256=641156189F84EB7FA3E18ED0611EB6C8D7E31AA8D8B6219A9BE642A69F0BA74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:02.939{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA612C106A67E2834BAFE389B218675F,SHA256=B84316DAAB50D231F2F4C740085F383FF7722565894558D20B61F6947ACC80BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084997Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:02.399{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54908DD0F7AF80C2E0E5EE3DB1B6D0B,SHA256=344240100AE1DE229A3BEC986B2DF4C9971CE2228720138CA01FD9D3052F5730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:02.893{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=811E352A24C6CBC4BC5F14CED54C632C,SHA256=FBE8D98613FD1415AE6F81F0DF26AC62CE44CCA7AF143DF96E6FAAFE9B4429F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084999Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:03.414{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9A3F73520363F4E42C2B632021DA0D,SHA256=34931CD18AF7CAEDCF1F051F050815C5044A69A7E0121809620ABEC67966D6D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084998Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:00.706{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50605-false10.0.1.12-8000- 23542300x800000000000000085000Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:04.493{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D8F2370D06E3DFA3DCCE763C895C53,SHA256=332F971472F05F9D5BFE023354754E1242893887266061445AD87C8C473AA9D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:04.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=626FDC0056EC10E22604B0216C3A8A56,SHA256=0270E5C079F9BF2C80DFD8095015D71580CB6A7BB994711DB5A85B6DB75DAB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:04.236{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4BDA2E6B045ACB70558A2E10822B39AD,SHA256=17C29EA0B132097F514609FCBF1C244D992B660BCEAF0CB7E5DCC82D34CAD8C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:04.158{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AF1F1177D80E25238BF2A00FE5A0D4E3,SHA256=9C47DE6031B5F6539D6DA4FDF20FCC5B02266C8DA22ACD786861D39873671DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:04.127{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B628864DCC36BBF34679FDC5DD1D17F0,SHA256=541BB68FFDE42972FA2657DC66398BDD54CE80EDDC3EC7DD15A1D8177199CECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:04.002{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21C0A9697E87081009C1ADF682464C2,SHA256=6967667C1C02C7A09303BC7E6551F22A6190A751BABFC934480CB01D45244D71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:01.838{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse120.26.204.238-24872-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x800000000000000085001Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:05.727{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87A3CD6DE156E9E767997FD3BE14729,SHA256=01E168EC54AD21BBBA56D40946493CE7720BE939B532965502B36F934453FA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:05.846{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=51E280DFFC6466B883DD787A3737565F,SHA256=12817897FFAE16D5A90D02DD65100940BF7DC8698136BCA4AF187BE474249DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:05.393{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=369F45512F98637885A0CABEB2596908,SHA256=A26608800F51C109D94F4956162E1AA47F37ECECAD556D32A5563E22332DC696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:05.361{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D4115147A1A12E26180870385E9D510,SHA256=3CD15C738C2852DF91411ECFC90964E3D3F6673FA77F8B67886BCFC656E75568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:05.018{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73457FCC222EA245C2D51D47A8B9D5BE,SHA256=B004EEBB5565ABB3A3CB03FDAFE782DF1367344930DA9E2ADFC58467F4ED4EC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:02.729{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56116-false10.0.1.12-8000- 23542300x800000000000000085002Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:06.946{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13E3BB56B27729CFF7488C1A15A5C1C,SHA256=01AB23CD59E14452591107BC249AA48ED5B30345DEFA3F5A592C114D558EA92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:06.955{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=92455B559190D617D1AD847A90A4E4AA,SHA256=641730E1E6AF9CB5CDD3E2F4A1F7B8180B1EAA802DCACC49952E576C362064FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:06.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9A75023EFE2D55E2ECB106DC76C50A3B,SHA256=5CB0A109A95FCDB26FE4F6297FD99B229B20537FBA2811B8497F769854B007AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:06.236{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA6966AA12334A752DD0E41B282E99C,SHA256=AAEF3A969A0E0D76DE19C7753636A9527F864F6BDD4212BA1C43F7CFE1058FDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:03.462{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65507- 354300x8000000000000000105346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:03.462{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:e4dc:c6:ffff-65507-true7f00:1:0:0:0:0:0:0-53domain 23542300x800000000000000085003Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:07.977{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E673D448A610151073384ACC6A02DA7,SHA256=EB93E64B1D7DC39051F2DF3BD326B3FEE882F0F7C2D4E30E1E8597D3763F25AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:07.252{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021A8023FE7EB9E4A29A49A7D5BC5105,SHA256=B280ADC9BC4FDD62F290C22A5FAB84404F814B456E7D649DD499F3E04B1C51E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:07.127{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=24086416D5F6F7E82EECB01F4B5649CA,SHA256=045FDB54BF753B481B46EC735C733E1CE44B8D817F631FFF50B459AEC31449EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:07.080{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=332E670B11E945A88707A79D43876395,SHA256=30FA2A92E3BD3100D918A680522B7FDC963A3515FE6EDD7804AA0DA3B04F3C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:03.483{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65507-false127.0.0.1-53domain 23542300x8000000000000000105352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:07.033{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1583F25BDC89F4AEB4121EA758136CB5,SHA256=82BD01724ED8D9D26C063414462357E8E0F43AA4519F04B13EEDA11388105DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:06.986{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0529D981A5E91E36D8AFC4453C74EC7C,SHA256=EA68249FBC82EE411E51B3EF9981E82D30169484C40245C9F4FA955A34C692E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085005Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:08.992{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE39E649FC07A799A37307C2188E18A,SHA256=0686C7BD02DCB038D47F02B7C1E48C201E886148B892EDEB0CC1E395D524CDFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:08.814{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8C39D6C3E888BD7BB0C2F2C0C77C0EFF,SHA256=C48AAE652B1CCFEA814624912592326E64F68E8245DAEAB0ED56E66A0AE7EFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:08.768{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BDAFF9510F3DC749C2E8BC3751629151,SHA256=BE0D4E40A1976AE7D3A94F6D054CE524B301F9A72EE24EE673EA02086398F45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:08.502{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FAEB73DD89DD4D12705E3D19A2E730,SHA256=0F4300669766C79484F19898FA28679817AB5E3BB66F9028DF9A4AE670EA4F83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085004Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:06.658{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50606-false10.0.1.12-8000- 23542300x8000000000000000105358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:08.299{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D4E8F9D174E6DBB77C60FCE24DABF630,SHA256=11BF54F41EA0EC167EFD427B45274CC97A5FDFC51B176A4BC0338566773E750C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:08.189{8D4DD44E-CFC8-616F-BF02-000000000502}24445076C:\Windows\servicing\TrustedInstaller.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+53248|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085006Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:09.680{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:09.736{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2578AEC7411641474D8F2E4DA417F0DD,SHA256=1B70543DB1380297559FF075B6DBF69893A920F59D72C84AD7E1860E6F3059D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:09.502{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944EB5EA7F2A23C16B1AAF8B4ADB6532,SHA256=702D0E6C7A24AB2C96A3C009C90987E76DE0D02133DE2212CBA0F705B1B7F585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:09.315{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=772662B1B786C235EC435F0F053DEC55,SHA256=47B8C8D0385EF52745A8B4740232725E8DEF25B42968866231FD10ADE748E27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:09.315{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=34FEC5238552222AEFC1273F6D26570B,SHA256=6C22D2F698150E1E631FF88D8E11F7009CB9BBA654A53075B027FD63669CF750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.814{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0B363C59FDF3C5623D1FF1DB4577B269,SHA256=E9DCCF94FD020D1558CB1AA7F3CEECC0C348DBD6B76B057ED2B6E2A2D603DA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.768{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1805930AFAE9D61F0B685809A4641B92,SHA256=5454975E304C5B950AD93D3A41A62B3C386811AF782AED13E357E241496AF3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7C0A53B64A20B8C31F246990188446,SHA256=B26A023CD1DBC5CC5ABC0A4588828C73FBAEEF597DBCADA5EE2249AD4414C1D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085007Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:10.039{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA89D30B3FCE78B5B4C1DBA7C77AD03,SHA256=3C0D18D13D5F2E6C0DC3E0D156FFAF258F08F72677820F1456082069424E07CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B3CB14E99FA8CBC5CF444F5D0F280C62,SHA256=493B0AE44EA686B6E09FEE5D652370FDDE2F38A7C3077EDA81995C3062CB3266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E8210139B7A2EAD28FBE6AD6E855E569,SHA256=5EA431B9CE7BD0F41CA215D4C6C707CBFB6F38B2D6ECFA1C08BA45EDC17BA948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.252{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8C6DB2F5270F237A68012EF8FB1F7F5D,SHA256=026906BCD4CACB0B792F7AAC9C5045C32D1A08AD619F60BA78A743B62FFFE6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.221{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=720D60BC62F60E1559B4D042C51A4E6B,SHA256=A845615A80BE1DB50F078CF04BA6F8039B32928A70F44C91C54759F44A9C979F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:10.174{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=94D20AA67456B6B812DDE9200A34583D,SHA256=D147AD03D05A81CAC518231E6897F4D056251D355A265F3951306C35F4F8FC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:11.893{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D9893812E57E655D2222942B9713C1C5,SHA256=344B7A7109A8803BD3F9048FAD59FE16675E91AD9D8FFC1E0FD03CE331CFACE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:11.861{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4817D36590590ED4A13A1F4A19AE66D5,SHA256=E2AA6729857113D60BC57492E635261260E186EF2361C6F46047FE3261E1B6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:11.814{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1EC731BEBD1DAAF30255526B05D8117E,SHA256=06545FC39EA2D145AD8A060FA4BAEBC5D01E6A31D1B9BA524D38918A29D35DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:11.783{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=57EDE8E65851992E5128ABD97CA68503,SHA256=895038A18C3441F79E75F7EA812C5029C52332A618B5179394B02DB552E4C653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:11.736{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FEE68C113B23D85A9E859CB401AB2A65,SHA256=9F2C63E7776F56454AED081555B118889B16A929A90FDE73860B1D9E9108C69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:11.705{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DB518514F56210C5DEA8F310ED828B65,SHA256=879048DADB7C411012CC7977B95692F9BFCDD0735413030E74686D9EE9F313DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:11.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F4C5F561AB6ABA66C241AAA4428200,SHA256=1ACA2ABE8C7CC9177BE5E82A029CD3DD8BF9EBE23F795A6D45A6845ABBA2E57A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085009Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:09.221{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50607-false10.0.1.12-8089- 23542300x800000000000000085008Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:11.086{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD9D99E7971537FE3E07622F5BBE571,SHA256=11CAC48D8E97CE4D803F89DE56DEF9573535947590CDA0098DDBC42C4B00F1EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:08.651{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56117-false10.0.1.12-8000- 23542300x8000000000000000105388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:12.861{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=410D1908F0F63CF9D9F9598E55C2DBA4,SHA256=72CC0667C51E8CD0DAAA00E38703A80C389820AA64530F421E190B6ADFB10FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:12.830{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=08091A580BB136AB1512D46ABA31349B,SHA256=5AF66EDC764E07660CB2EA1FCE8E7FEC8C37865909AB46E54A535BD56C1290FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:12.799{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9CBC148FDF547B7AF3783F08BC8180AA,SHA256=4027F17E5CA2E0F41DDDE58130C644CC706CD5015F9E6BC6202A96B09C037797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:12.768{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=68495309FEEAAB88003B02B720BF4687,SHA256=AAE7B804F849F3A54FECFBB5B1AB5F3CCC7D2F787808AB59835008E7001FBCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:12.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0FFF8AD3AA4ADEE82DED469FF39FE1,SHA256=385E68340FDE78D6C61B84C412B33CD318054453D0FCCB02E97C110A95655CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085011Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:12.121{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-070MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085010Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:12.087{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A2634A0AB3EB86B4EE750A3ECAB46F,SHA256=5F07376B8005C3A2A9A7ED337DDF32B2209C50E3E729058F51ABE9FB18AAB0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:12.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8DCA12DF98FDD190E88DD157DF4E4B87,SHA256=D9CC662EF38798B1C85670B803E931DD3A6E64781DE4239472AC6A5146E78CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:12.299{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=885FE1E88C08E94F0B5BBBB211FB1AB1,SHA256=C05AFDF5C64198BDF4AAA5F0618DB65B970A835618818B1ECBA4292B3BB2180B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085013Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:13.136{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B1157ECC9EF42D5FEF5EF4A7EAD0FF,SHA256=95717103DD84E3CD70B2C3E45E9AE4AF9C65D2BF3A8CB17F83AF0789383A0218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085012Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:13.134{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:13.940{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=607502580CA40E08C3CDC1A428E46B4E,SHA256=F8FDBD6F1FC9DEA731D5938A02092369B474AA998547B3DCF87146C6054E456B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:13.564{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD406EE0D7076A9F90CEF3D3A92A96F,SHA256=9ABAC3A1DA47966791AF269F346CFC71839BE0C7F81715F4E44602D4D50AAA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:14.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1EFC3218EFB42440B3B00BFBB1B240EB,SHA256=DCBE955259897CC73416716D054A0DD325559CD1D46DF52B475ED9D7F9E47AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:14.814{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E2861FD7B1B6296AC8CAAFF3AA5C7764,SHA256=C42DC17D239B6A82D2612DBB6B9BF5DA3B5B19E58D305ECA957D437061D3D221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:14.580{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C363BCDEB801BA17032D4B8491433FE8,SHA256=30C7C94830A52CDABFC8CA9D9E00D236BE797EDDEC6568722E8A95567C6ED3CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085015Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:12.690{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50608-false10.0.1.12-8000- 23542300x800000000000000085014Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:14.150{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D332A3595967B6B2D99FC3B4D79BD390,SHA256=1956D4824FAB815F59403D30850D0F55088E68817D2452A668E3830F83A227AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:15.987{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6C83C29F0362F1532FBA3F05E6F23546,SHA256=B44C509A1CDCB6D5643C84FA0E26BF75099E5CF0E20F1CE1ED3FD23C17D2C4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:15.596{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342BE68537E7C5AFB4311EC715D2F6B4,SHA256=7EFBC526BBE2204E21B2B061243217B92B53540E8688159396423D1CD880E30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085016Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:15.165{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A427FB68A39F61B5769B446F43AC7B3,SHA256=3AC0B7700F903BC6B5891B36241F2C9127FD482E53EE9461E4495AC89F81AF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:15.049{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1F6EFBECD192B5680A22CE7539FCE027,SHA256=28C2F5FBF2EF5E86C29231CF057AB96ACB5295D17343906526595286DDDCAD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:15.018{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D6D8D1A987E77D1BC85D9CAB8F9A9C1B,SHA256=5B08FE275B7C525297AFF1AA44D3E5CFF629FF81ABFAF38D885260C653003CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.703{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5A775C1C1CA566F3C7991E92AC226F,SHA256=AEF3F51699D11C79A792F285429E2DD9B08D0E8EFCCBBEA6900F99A990F129C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085017Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:16.178{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D8C06CE733ADF3FCF997737B879548,SHA256=DF3948B8078E0453758D85826ADC0B6893E6C9D6EFB3EC0504360900A93BC627,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:14.605{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56118-false10.0.1.12-8000- 10341000x8000000000000000105408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.140{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.125{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.125{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E302-000000000502}5060C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.125{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.125{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.125{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.125{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E402-000000000502}3392C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.125{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0374B54D9DE2944394501FE9121A80C0,SHA256=4DC559700BF306FC9F919CD869297C0A05FAC38164DD3AF6F2926DBC1E993AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.094{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A21B7AEBFB87AD080237D637D029CCE2,SHA256=6F7A98D985171318F91B95FEC3C966C7F0003EBAC39F8E5641708C345828D013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.052{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0F457D3D711B4BB31A881A6A48631ED1,SHA256=DA83856BDDF555286AB882C871A94A7A21DCA848D2B2EE00578577AFF7DEE75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:16.002{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=067A312088B6783E1A3BD00AFF13D0EB,SHA256=77480378DA6E4E59D73207EA223BD5A3305C82D1A90040AD957FC930E4B6166B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:17.703{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8092E957646C824BAB4DE01EF82DAC39,SHA256=819A4170415B03BF48CACCCC9FD992D8AAB72A60E725F4A6D20178A807C1F7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085018Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:17.225{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14455301D6C9A849EB790FFACE34E633,SHA256=AFCB9DAE79F0D7332F1F0B2EFD0D5D75580A12DFAAFA7CF543701F463251D55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:17.125{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4416D9CC6EA67290BBC0278346144A65,SHA256=81E581D8BCD66D43C00A78E83D976F63D1D0C4AB56533A749AA3C7CF4608D1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:17.094{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A408B7BAEEA60B06E5DA637F03E3C67B,SHA256=6257322F6D96A990DB8832A88ECB05EEF0FBFF47B0DEE5007B9ECDA3DF489730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:17.062{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E094E488FBF95E62A3B1D2795C937BA0,SHA256=318C4B8304E31FBA7320591A82F227FBF408B456CFF71A70F637B4DA4A44AB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.734{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CF9B133471FF88A72C8148F97F97D92C,SHA256=62E72B2C73643D21E1DFFBF83EEEC36F328AE79184FEABDBD7EC47C40EFAF81F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.703{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546A6ACF936A9D36AF9B9274668C7230,SHA256=7C940BB5EC83AC5BA91FE0561E3E0952DC39B00C15474991F044C6CB22F8E93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085019Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:18.225{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB162957FB741AF8DAF5B1E176499E6C,SHA256=E9D57C4A76F9410CBDABBB804BCB987A6B16640B994AECB1B0D1C70C62D35C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.656{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1815FBEEA7C49E1C5B4E1C5673AE2CFC,SHA256=A9A9018768FF87617F0BDFBA06DB44AC76A842F6E460A42F520B9A8731E69513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.625{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4F9894EDC9EFDE4D1AD17BD1C68B182C,SHA256=CA95FE9B498ACDE7ED9A9FDDBF869DF19C67DE97A6C480970D3A8BD1907460CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.109{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.109{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.109{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E502-000000000502}4368C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.094{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.094{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.094{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.094{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D038-616F-E702-000000000502}3880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:18.094{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5971F2FBF3AFEE82767023353C1B5E16,SHA256=C9514B5BF5D7AF2D76473559EBD82812C49FA776CC852C0DEF974975F4BC20D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:19.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA09F72332B01B92F8FE181426F36FF,SHA256=0B760D75ABA28339264A5D18910C484B03597A467AE967EED9C5D3764BF8A900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085020Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:19.240{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92FF09BF3CAADDCF97AB8D207F8F5A2,SHA256=EC787903DEFA977A1240667E689C17C89851400A2EB20B79A15F97954010AB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:19.719{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3516A150349EE19E42A7A615BDCD67F2,SHA256=F4B76D9ABB1B601FE3C732ED9ECB4A93FB51D0C8EF6997EC5D47A37882553FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:19.687{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2DD2E6122FF411DA7150D684AE28EDCE,SHA256=90F5B3435F4847F6E3CF73C540C2F7323950C65EA2796122F250E52F8A77136A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:19.641{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FC942C45F7628DCFA424E9C41EB44E1D,SHA256=2D68E840AC315DB3A16D1C5D7908DDD583E185A2F32D94734452C4F743A02514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:19.609{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=50BF4DC8A33AF88530824322948F6A26,SHA256=0B9055EE8802C2A79577761E834FE7352E3C191B12108E69C55E82D54EA4B292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.875{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.875{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.875{8D4DD44E-C6A3-616F-9001-000000000502}45322408C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.875{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.875{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.875{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.875{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.859{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=21361134D76D2566719DCA5CC7A06474,SHA256=E037959F0364BE15AE07102C53D7692EACA434D09A545EC4A701136A8E37862F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.828{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DFC46690BCBD4F413195CC25BD1492FD,SHA256=521808A5D52E165D408BE1B10F410F93A7C4AE5FBED60B03FDBF440A31C3EE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=062C88BF13346CCFE6DF5DF3CC655A12,SHA256=4098FF6239BCF1B20022BBB64B6394FDED9EC199BD80E8FB11D4F025035BC87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16C39542D9CBF061014BDFF934EFB0C,SHA256=8543C70F430FDE112A780BF27F28F358D2F110AEFBF5587F867BD9C3FA44C755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085021Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:20.256{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417FB7923B1FBFB3E74931DD35BA18FB,SHA256=BBCF7E1FD184FCDF84647FF6C6B2FF48310189DEBD3A24F3973C67CC344FB267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.765{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6637FE6F30ABD4F80E123D412B9E2895,SHA256=F3C044FDB502E150292CBF2851238EB5C360EB7EB1184DCF68C9F5830ACF832B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.719{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=303052BAA065358917ADBCBC847FD244,SHA256=A0CD2F3FAA533483125E7CACE3859EE6253D490B62DE5FF1801851930D293B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.688{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3E5CB16C285986CF380C89302774663E,SHA256=67810BD7F58816AB7C3C929190E37F00FD2E85253C94E32CE464AF54CB7F92A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.656{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67FCA35CE86B9F859ED3D835AE8E4562,SHA256=375B2992BA65EB6CB15F6D616930C562AB5EE7B503EF49B6BCF30262184BE66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.625{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AC505F99AB1C539033BB13A338C553EA,SHA256=E3C7E7E482CEB583099B56D65789FF51C2839A16CB70D34F31DE34B51A02E1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.594{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E35CC3D788B8C6D784C2F869757F5246,SHA256=2185774C89766EA32F364416A2817618936E7A5741F9286AB9BF60D5FC93B264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:21.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A37EBF828FF7479C2FAAA990C054E5,SHA256=6E9278B2779EEA0C462FDFEC56662320171467FA14CC9EEAC56E15492F7A9748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085023Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:21.271{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DFDD15070E36F80E33D1CB39671534,SHA256=7DAEFCD33792CA0C8BCBBC22D493C9D1B638A4A927F8E3550CC4C55452ED24E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085022Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:18.750{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50609-false10.0.1.12-8000- 23542300x8000000000000000105451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:22.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61854D29E92B823841325FE3D296A30D,SHA256=DB87C443253D8800F7B7D35D8993C007666919A59545FB2ED8A7E384D15B97A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085024Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:22.287{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA44CE77162DCE841CA56ECE3029D5C,SHA256=CD6B5A592AC6EC9443566A728929F327527381F5A6C705EF978CF05C9E5D7A2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:20.539{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56119-false10.0.1.12-8000- 23542300x8000000000000000105452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:23.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4210B3C97887701415A21109DB9597,SHA256=6FB4308D19DA90472934CEE6EBDDED83C25998618332AEEF431911F040546506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085026Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:23.303{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8CFF00DBBCF8ABFDD97170CB4963D1,SHA256=05EE460E40C3FE1368C7F3A854D7F3A38BE1C06BBF3E2185A086EC80EE226483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085025Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:23.131{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=01A8B13E4D5AD4F1D69E372943467598,SHA256=49A7DDBD1BBCC460CAFD79FE08C6A36F0EF6FD4379555FF9034F531FE490F988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:24.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB51E8386F26956890DE359F7043A219,SHA256=7DEB70E4FE838B312794239E89E614118EEF8870CB7FA889571AEB18DF79D47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085027Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:24.318{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EB913A2E87ACCD62E46BB327C74BE6,SHA256=574233EF25DB1D175C52BCE1CB87C8BC32BADCB2930914015161C35C553AEC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:25.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FDFE8A52017848F8395F728E4A3715,SHA256=6989E3B9EB7F837D8E47D7AEAB1139213AE2B87EF4377E623B11598C2A657A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085028Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:25.334{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED819958B4350FFE66765367DCB5997B,SHA256=9718E118719E4A99C1D081381D17D3CDB0B6C56D63B1D6A00B458194C6DC7167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:25.297{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:25.140{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E85092FC5D1784F6BA610FD6D437E378,SHA256=A4CEE6C458776360B0AEF2AEF4D850F752379001DE811A19D6CD27455117F3FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:26.798{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338B5656FB20DFC866CA9D3FD3228457,SHA256=C9DE1651CD91772B5629AE95C73363D48221FA7140FC1F09DAC89A3E7A4D8F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085029Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:26.349{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD03A2F284EC9AC0C5B975704097901,SHA256=7082958B7E1C33C98332256D54B140DBAD4B7F56D746F196548896BAA68F257D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:26.739{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-070MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:24.774{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56120-false10.0.1.12-8089- 23542300x8000000000000000105462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:27.812{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC734C5C2CF430172DACD48FCCF8B5B,SHA256=FF4BA8B1746FDDFF6F0130B71D91E9E2CE21F105FF9E614F2A9D55104FEEDD9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085031Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:24.750{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50610-false10.0.1.12-8000- 23542300x800000000000000085030Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:27.365{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBA17B3046D3C8B6BFC2956CF223CDB,SHA256=42143FE7F674B5AD6D87790151AD0ABBC057AA2DA273B603A6F3A972DE3D26B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:27.752{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:25.665{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56121-false10.0.1.12-8000- 23542300x8000000000000000105463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:28.815{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153D5818822C08E45837D109B5204CB6,SHA256=DF5BF1DAAEF0540BF555EAF24EA6BDC03735727E842B6CCEE5445E83CA22E7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085032Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:28.381{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACBB2DCED0325006B7F37824D4D8FCC4,SHA256=F5C86CD821F1C0F84208D7D2919F7BD6DCFAEB9305B8DBF891A6BDA195167924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:29.815{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC91EE89A3CEC5F45CF2A1B6D380E52,SHA256=9FCAF53C813149A400BA3093E3AF369D9D405711B3FE8C5DF4B352664221A2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085033Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:29.396{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDAF2958A1FE0DF8654483BF986DD4D,SHA256=1A5B6C7A5CAA5F1035593C1FF4A0F3671E2E902E80343D0C9F7FB18832F113BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:30.815{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E15D848A0C1825FFCBB0217061F683D,SHA256=BAFCB25010C56262B9F84678032DA85B4485AB6C9600CA3877851804F51FFAF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085034Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:30.412{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917ADA35B2BCE9E7320697EC603A0248,SHA256=715FBAAF9345D51AAF1A31CD9C8CCD6FFF1409F9E0DC3AB9EE0D6A9DD0DDD9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:31.815{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27BAD4BAC37590D244A28B15FADB72E,SHA256=4CCF958CB2B7D1E61983EADA8A97B3F0B776E544AFF3EC9C6AB99C7C29DC7DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085035Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:31.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A36339D47422115AFE446A8F12C777,SHA256=89C93E401EF34DB25C447B9D6C1149171A5259959E1940A48967E9B1EFCB612A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:32.815{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0060DDE1C81D2AD6D8185013684E3B9F,SHA256=C1C90617CBE093A6FA8F417E52C4E902476BC88AAC54477856E33900A86AE1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085036Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:32.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7089B83941E0816591FD578944C635E,SHA256=BFCFD3FBF779A022516ECFFF3C8713C99767E54547FFAC0DD3DB5B2597A0BE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:33.815{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9FD4496D3F5CF45120596F51F28076,SHA256=1EEFE17F84E405680FA60A4F24CCE0C20687C43ACDE7793ADE4ED08C21A2B73A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085051Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:30.703{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50611-false10.0.1.12-8000- 23542300x800000000000000085050Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.506{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55729CD7CAAD20992A279496280314B,SHA256=2F5B48FA64013813B4BD3D2E0B7725435E251E44563820F328CB58F17C2D8143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085049Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D061-616F-9602-000000000602}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085048Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085047Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085046Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085045Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085044Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085043Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085042Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085041Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085040Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085039Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D061-616F-9602-000000000602}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085038Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.162{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D061-616F-9602-000000000602}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085037Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:33.163{6F8252D3-D061-616F-9602-000000000602}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:34.971{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34B33FE9A17D5F7751F7F20FA129C70,SHA256=8AAA082B346B5728B21F77A87FD1D51E39A269BC86A4F6339DED9CF41B68A0FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085067Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D062-616F-9702-000000000602}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085066Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085065Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085064Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085063Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085062Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085061Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085060Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085059Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085058Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085057Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D062-616F-9702-000000000602}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085056Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.740{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D062-616F-9702-000000000602}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085055Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.741{6F8252D3-D062-616F-9702-000000000602}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085054Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.521{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEF39025B0AFA07A99375E94EDBC5BE,SHA256=F5A68C4D123FBC595FB122B19902E5FA5366938E48F18D8C2D57A8C3626EA47E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:31.511{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56122-false10.0.1.12-8000- 23542300x800000000000000085053Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.396{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DD1123071CD64FE9D9A732AFDA22F21,SHA256=1E53FB38E3A2081BC8C196486C079F379C9B734CBB46F81CC9A3E1979B8B71BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085052Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:34.396{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758ADF0328E34A0FF7716EDF40B2DBA5,SHA256=EEB45838B5D0BB833632B871FE587D443DBEA158F4286C8DF8547FD5A991E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:35.971{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1D70DFDC177E7AA454A443851BCB95,SHA256=1CA7DD0B83B5ADC5E38EA1AFE6F5C8F7399190AE984FF36B55AE02680CCFAD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DD1123071CD64FE9D9A732AFDA22F21,SHA256=1E53FB38E3A2081BC8C196486C079F379C9B734CBB46F81CC9A3E1979B8B71BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64610ADE591BD1CBAEB3F898C5FFF4E7,SHA256=7939B1BAEA4931FFE162B48C14023917401080B955799642E5C46068B526F229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.521{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8BF1348182C8BDF5C43AADE5400FF1,SHA256=1BEE207D742E801657CF064CC0738956302EC5BE99B060BAF189D20DC808EAB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D063-616F-9802-000000000602}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D063-616F-9802-000000000602}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.255{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D063-616F-9802-000000000602}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.257{6F8252D3-D063-616F-9802-000000000602}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085068Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:35.008{6F8252D3-D062-616F-9702-000000000602}26483404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:36.534{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE3E44373B70B93422763485C83A942,SHA256=76FBFB95B54BC15D2EBE6CEF34FA87C8941B27DD1513C9ABF50FC75986E3B3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.847{6F8252D3-D065-616F-9A02-000000000602}6961036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.659{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F759D966A4FBDDF8461DC12AF9E95291,SHA256=CFD380AF464F965402BF67E8F0E3551445A5F0944B5294EFA2A65C75C4E39E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:37.012{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D660665131DEBCE9D8671CEFDC593BF6,SHA256=C34CCFC3978B132E7EB16AAB7792DB05B0335A2EF28440D1D70C340949FC1747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D065-616F-9A02-000000000602}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D065-616F-9A02-000000000602}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.534{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D065-616F-9A02-000000000602}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.535{6F8252D3-D065-616F-9A02-000000000602}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000085099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.237{6F8252D3-D065-616F-9902-000000000602}30442640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D065-616F-9902-000000000602}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D065-616F-9902-000000000602}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.035{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D065-616F-9902-000000000602}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:37.036{6F8252D3-D065-616F-9902-000000000602}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.722{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE45FF50B7C28006853F04D898BBC5FB,SHA256=9E55BA8F9CA4043F88BDD5AA715A2AF9A246F4C0F3C1EA896440D87DADA60636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:38.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29152D1437C6C201C4628AEB2DB1028A,SHA256=FA7A9FC7360A67F22FE34E6E3625610CCC9AA9F533FACE89D6838F2602AFEC1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.440{6F8252D3-D066-616F-9B02-000000000602}4043668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.065{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB41B5B6588671F6FE36D59B4E99CA9B,SHA256=7E852EA48BDE705BB192CEF253834A082DB3159966A1ECDEF02B8A5E4CC16669,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D066-616F-9B02-000000000602}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-D066-616F-9B02-000000000602}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.034{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D066-616F-9B02-000000000602}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:38.035{6F8252D3-D066-616F-9B02-000000000602}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.738{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49820592A7945D8B6CCDEF9189FDD71B,SHA256=CAFF6CDDA15EBC5A1330F3E52ECFFD89997A4BF8E07AD5923A4382BE6E211FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D067-616F-9C02-000000000602}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-D067-616F-9C02-000000000602}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.612{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D067-616F-9C02-000000000602}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:39.615{6F8252D3-D067-616F-9C02-000000000602}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000085131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:36.669{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50612-false10.0.1.12-8000- 354300x8000000000000000105475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:36.615{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56123-false10.0.1.12-8000- 23542300x8000000000000000105474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:39.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C237FAB7DF7D31A87D9C4C7EEBC5BD3,SHA256=80C32CB22069905A950B1E04CB03CDB73D4A1AA1F9A10DA4F0E9D717958C1916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:40.972{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AB9BB0E8295831A96255E2CB293728,SHA256=B50271DD1DD715A5CDC6AF85FEECDD5BA954639A556EE6BF14E637F8EB519BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:40.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12140D36BEC1C4CA87966B546E405B6E,SHA256=07E9D78DC55C3153053E8538BCFD034B2B493BEC93455C32CD80C7D51C90AE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:40.612{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AE8778BCDF3FF7477B8BEA5062A594,SHA256=AB32B92E102A33A50B558810A785464ECF208BA59CF43CC24F299CAD416E2EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:41.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A02DB8E7367292A16DA7E4749A9CCF,SHA256=2BFCB9487CC7DAC78B2A9766C67F8C487F1CB27E714EA9CE6B1B40574ACE042E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:42.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C59A9D7AE0227E799D578744C50796,SHA256=2E01263F35A7D496534CA0B37AD2B55937C95F49DE5347B0665F76EA426A76ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:42.034{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9BBB745F4B081E572DEEAC3304A0A0,SHA256=979BA524A2A7D8D50696EF809D0D180F6A6BD77972E0F7D94D2F426520D48613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:43.222{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C994ED289FC4C0C9E4C3EDDB78C8AD69,SHA256=9D8EC93395B6410C4B70A4C7ED836EB071ABFE68475D4373081537FCFBA76E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:43.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C86036BCCF293570E6ACE666AE27719,SHA256=188F8DBE70E51A1336273F1FFF8F920F559C5D25EFE5ABD03411FFB6E7B46CA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:42.606{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50613-false10.0.1.12-8000- 23542300x800000000000000085150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:44.253{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24286384A8241AA0F98E7CCED541612,SHA256=6A8B6D169D1AA139F5E645C897B3453E758769F8F955CA8AD4BA59CB18454BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:44.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FB0F5FE69BE49B2206C0BF8D3001FF,SHA256=B0AACCFD4CC324DDA6E5E127E290D030EE5F32DB6A50403FB742CB438165B094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:41.693{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56124-false10.0.1.12-8000- 23542300x800000000000000085152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:45.300{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41ABC41CAB7210EDBBD749EFACD924A,SHA256=34A98C59D70323062D982EA6EB5303349FAB55CDADF91E2CD4A8367EC74FE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:45.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C99DD73F663E93BF293B5C8E992531,SHA256=5070A55B4CAFAD538847D52A93AEB9228D06C3A6CFB37AA9F2F645ACC0D1ACFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:46.362{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A669321E93B13545A3BFF2D7B74BB9E,SHA256=3637C7CA9F89CD0B2F31B5ADC557CE0FB1AE81C67AA159065BDA097710010E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:46.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8636D1C22EC5299FB1039F7F6BB69FB,SHA256=997A9CA83C0710AF21886393E1E187B1B0986E6E2A812261638401C51E8E5382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:47.378{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34BB474FC9322935335F4BD48F3BFB5,SHA256=3C4E387752F4B041FAC25212BCE023E90BC36E20653EFFE33D70CB15C6FABEDC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000105485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:16:47.606{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c58a-0xd38c5d23) 23542300x8000000000000000105484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:47.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D673DFBDF1770D6F361923B3D778D8,SHA256=6F725252BCE5A61FB2340D99E694640EED498DE210BF5D5437C5641400E4A693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:48.440{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23E06781895E6E5A567F61B26B0138C,SHA256=02F7E21C92FF75C723953A79D79DD79BF2584F11E4F80AC57E029E2516A23197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:48.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B516D451C6189C5A9B42E4A1517A13A,SHA256=174B7F1F19FA71B0DCB9B04B8A9A28F197679364AB93D8B101B337FC5D524E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:49.518{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7840747308856CF0FA01B517F67A93,SHA256=1E4427D5857DB8079B21D67946EDC4AC7F667EA260BF10FFFF6B08D9FA62AD7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.966{8D4DD44E-D071-616F-FD02-000000000502}56845260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.809{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D071-616F-FD02-000000000502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.809{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.809{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.809{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.809{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.809{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D071-616F-FD02-000000000502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.809{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D071-616F-FD02-000000000502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.810{8D4DD44E-D071-616F-FD02-000000000502}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:49.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA21608E0A8377882227F07ADD070672,SHA256=A4F8E18579A82155FFD9422CF34ECD1E5D9D27BDF1AB60246F8B9C71F25BF14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:50.550{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4C7867DBB3D79019246AA283936D4F,SHA256=C3A83D6391194D4F0DF06AA4F12C03E9DD58A4C459FB1134868A6A22346A8B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.841{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485200C81681D1CAE5AA7E3A892C55E1,SHA256=7E9DEAD19A74D209CD890A65686CE758FAFCB25DE56CF66E159C98F2784F0053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.841{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC9C1E0F2D02E295F7A470032AD736AC,SHA256=AF46EEB24A1D9379A4C0BC0E5C5B45E6318C1905308FC8A289DD98BF81469E72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.481{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D072-616F-FE02-000000000502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.481{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.481{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.481{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.481{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.481{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-D072-616F-FE02-000000000502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.481{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D072-616F-FE02-000000000502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.482{8D4DD44E-D072-616F-FE02-000000000502}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:47.083{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-185.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000105498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:46.724{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56125-false10.0.1.12-8000- 23542300x8000000000000000105497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FFF991345EB479746CEF83787525D6,SHA256=A6810303954F03C7D8959A91DFF924CB24F963E3336346CFF9FA628933F647AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:51.581{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0392312DC01E340C44ECB43924B54A47,SHA256=A374AA10B2FA21BB4B7318A85C7190DA729C1049BB60E2835D74F991B168A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.106{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D073-616F-FF02-000000000502}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.106{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.106{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D073-616F-FF02-000000000502}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.106{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D073-616F-FF02-000000000502}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.108{8D4DD44E-D073-616F-FF02-000000000502}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000105510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:51.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBE875A2B22D0ECD5DB698253AB2805,SHA256=2F7F76F1D31345F951293EDA9134AA3D5AF3E40229A30FA458C3F45661924F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:48.637{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50614-false10.0.1.12-8000- 23542300x800000000000000085160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:52.628{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A230A0C3CA9BA762DC5825E3EF4C0BB,SHA256=5EE3AF773137924DEFD8D58343DDCF2BB2EE40A96C020B6932EFD0494D454FFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D074-616F-0003-000000000502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-D074-616F-0003-000000000502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D074-616F-0003-000000000502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.966{8D4DD44E-D074-616F-0003-000000000502}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.491{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56126-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000105521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:50.491{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56126-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000105520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062101E15137BC38938BF7339A3210F4,SHA256=3D6C132A7E51424104C9E11014F9500942C0661D7C583A0AFD8AFCF1EB21F9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485200C81681D1CAE5AA7E3A892C55E1,SHA256=7E9DEAD19A74D209CD890A65686CE758FAFCB25DE56CF66E159C98F2784F0053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:53.632{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE0DD5CF4D603411714B79860C51092,SHA256=DB8085A3A575CAAE0F99B8BB388FC2EAE1367A5CA0972C108D0515005869882B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.981{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85F4C4E36C965802E5EE8BA94F3CB1B6,SHA256=E850CF6ECB1D5008D1023AF06C97F1E4BA693839871669CEC813C0110C456DE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.622{8D4DD44E-D075-616F-0103-000000000502}52125144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D075-616F-0103-000000000502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D075-616F-0103-000000000502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D075-616F-0103-000000000502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.466{8D4DD44E-D075-616F-0103-000000000502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000105532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.187{8D4DD44E-D074-616F-0003-000000000502}58285612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:53.044{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37010CA94F99B791816C0CA2B5B3BD97,SHA256=D68512C8DAF91883A706286264D9D407A566264854120EEA13468B8E8BEC7EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:54.659{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E1FF46153EED543FEB3D99C46D464E,SHA256=467ED2C92372FBD2BF067443ADD77A5DE5715E348C4D110EA3D59D6F69271BA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.231{8D4DD44E-D076-616F-0203-000000000502}352172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000105551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.090{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB97EADDFAFB2A67C2175955FB978537,SHA256=0E86B4622C48BCA0D761F3045AB2621690AFA1B5285682EC71C2270B04BD011E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.075{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D076-616F-0203-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.075{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.075{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.075{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.075{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.075{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-D076-616F-0203-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.075{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D076-616F-0203-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:54.076{8D4DD44E-D076-616F-0203-000000000502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:55.690{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23192AE0B63B54F0BDA9EA40EDF96573,SHA256=28E3C0B746BBF03708FEF215BFEB42925BB67B0989D0D929177FCEC4F1E4C113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.309{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1DCC77CFF2647636E48D1E77E7AFF5C,SHA256=CAB8FA80CCEE86F4B57BE5DDF1F3A8D456629F246856C21BEF50183AAB6C3813,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.262{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-D077-616F-0303-000000000502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.262{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.262{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.262{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.262{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.262{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-D077-616F-0303-000000000502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.262{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-D077-616F-0303-000000000502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.263{8D4DD44E-D077-616F-0303-000000000502}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:52.737{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56127-false10.0.1.12-8000- 23542300x8000000000000000105553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:55.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECDC40E64E32E0C3461E45FDE043346,SHA256=3B20C55DB0D40B866C7EED254F1DFEF88E209762F94EB09E96D2EF813F6A63CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:56.726{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321D49A4181BDF2A15AD6C93597FFE82,SHA256=9DED066F948B00304FC2687B2F2871E71740E0A994BFCE6DCD7C36CD2DC07361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:56.110{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98D00863BDB5E4EE11A2D665E2F70DC,SHA256=A467ED063F61B41415CBCD03483AC5A6D42D7E9E975538CD751D4C2998820336,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:53.654{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50615-false10.0.1.12-8000- 23542300x800000000000000085166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:57.741{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B4F473C1C9146AA9C514D59AC9D78B,SHA256=1C66D5A9CB6062881E6975ACE66D84282E38031EFDD41B027D1BD9E56D970A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:57.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5157250DD3D8EB87B4F30864B1F262,SHA256=274BE67F178639CBDA361D83A8F7C61EDAEC42A005CF81C7F41DD6A12C54FAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:58.757{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97BD4DAB97E0713B2E66D10251A58C8,SHA256=182145B635E36634D43B28A2B49751CAED12706D4F813212923D33251278D8AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:58.360{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E980AFCCB2A530479E4626CC00761E8E,SHA256=C22C8452663EEF2B3529F855901F7C1E934D4FA9B46D402FC4418BE4233D8179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:59.773{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4823E41AFCF832B2DA6ADF1167B5195D,SHA256=EC4B8F212CCCA9388336B434E23C5F90A4CA7C50E95F657EF2E2785FE80AFE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:59.360{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429A62C49CCF3F590AB7E9B4FB6F79F0,SHA256=B737B0BBA6CA525ADFC7FC2BA201C68CF5794F5BDB209082BDC292162ABBDC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:00.804{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B433AD9B63FA38E32034E9C3EB21D23,SHA256=CB1956E21209915B405B8ACD4908529E66653BD767798CC60ADDEE45049FA158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:00.391{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CED341055D6B9CA75A7523C046358D8,SHA256=C254FBAFD9530A39CE90AFD1F36FBB2E726FFEB608EB0C6AEFE69D8B962F3E67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:16:57.729{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56128-false10.0.1.12-8000- 23542300x800000000000000085171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:01.835{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D4B92F092C2F5AA6FE37754A44A594,SHA256=0A7BAC67152427A204E4A5005AD88AC2BB4F506F7858D938B15D2FAEA5430531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:01.422{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97229A68F05E94ABC53CBF8638E37B3E,SHA256=DAF8DCAEB2FA9399F211F782414C306618FD781AC57563262B5A3128A7AF0C46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:16:58.814{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50616-false10.0.1.12-8000- 23542300x800000000000000085172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:02.851{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7636BA3DC973F34646F3F10483BB109C,SHA256=AE39B8EAE52C1A74635DAE8002F8530E842A6DA544E24FF5D1EBAF89DF515212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:02.422{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669828F17E0F4E050AC780BD0E32CB1C,SHA256=219A5CFEFDC73C4940C5EB23D575A86964BD16A1BD1E3ED5A37C239E2DB4B146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:03.866{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E6AA8488F330CDC67182A59079A246,SHA256=0373D97A2AB2F3E45DFA34DF0544061C506F2D3B7A35B336E06E686BEF526220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:03.438{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C3D959A92A2A9F6B58721C9513F84,SHA256=606C41E7944E04EB7F005C06E9E93C55D2E8B5E915B9CA19A452B1A13C5B6E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:04.882{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1C27F6C961679E21A1FE2C09F11FF7,SHA256=AB2EAE67EEEF20F30EDF74F5339EBBB60769BF13E009CD35037702DFE16132D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:04.594{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB068D5F32A28C5B0DD4C98E1D02D33C,SHA256=92279B141F9707A213D160E9F00222A959AFAF85BDC8A84B466B9743BFCFA7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:05.898{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5BA7B29CCE855A884414D877C155A6,SHA256=91E4CD4E88BEDA76E0F2BA1FF53F29F66F29C3464F4E84D8F9769E9A600022EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:05.594{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7B94A11D6CB1E91092CCC0B631972D,SHA256=168CA1930BB82311E61D4F782DEC87D273BEE5058426464A46FDE9D0A9ECE4D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:03.729{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56129-false10.0.1.12-8000- 23542300x800000000000000085177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:06.898{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F5337D64787E6868E6E96097BDCDBA,SHA256=BBD1D14F67BD6F087F4967EB2FB6982CA706B14ED7FE3E36AE363ACBAE14EEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:06.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFEC87A405C72BB541B34C957593DA5,SHA256=65DA7594A6F3277760716882A63A2B316D627AD23A9AA0AC1585AFFD55F8899D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:04.751{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50617-false10.0.1.12-8000- 23542300x800000000000000085178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:07.913{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99328F62A8944B0688952F08F33CE8BB,SHA256=83A62905E2C08D4567175960A7E62E853927C09B383777FCF7C8D955ACBCE2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:07.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7AE13553DA383C1F7AE18373639874,SHA256=69ABE9D529C10631822979E4A73719942D89C485878CC4CA79846D79FBD744BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:08.929{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069F9AB748C5CF43F91FFD8B5E5D986A,SHA256=777F069F997996FF0C61EB8FE8A91A17D233515BAB45A37275699A61036ADFDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:08.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12480BDD0A8DADFDFBB080D9A6C552B0,SHA256=1CDC52AFD8B8543DEAF8B0E7712186E660DF5DE2DEA11B13099C1F5133944D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:09.944{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDC92FE729FE14679A79BCB1F0C1EC3,SHA256=4113049E173B3B23F8A9CEF5A1EB6179BA754CD802C8FBC68FA4D54A61A10A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:09.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DB463A98140FE2505729256DDE3441,SHA256=D2A978B3ABEAC9D33EAFFF9A79304165375DE541513238526DC60BD3FB6C6E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:09.710{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:10.960{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD43DFA76E791D8AC1F520E39056D9D,SHA256=98BAFD0CDFEA1C99EFC8D5EF778E8BE4EE73D6BFCF9EEA7122736D90D33F903D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:10.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA3E777DD35ED3912A58C26BC1C7D37,SHA256=015D733A35BC548CF5B7AC42C83743C86378BEBBA742A70CB5A07D1F19BA5138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:11.976{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4687CDCA702E69BCEBF93028DE4D48BD,SHA256=7A9BB545B0F95CB9E901F35621B75DF940B0AFCA48D28FA30DB0986D18FC06E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:09.667{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56130-false10.0.1.12-8000- 23542300x8000000000000000105581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:11.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF60D82FBA7D275239287586F4911908,SHA256=F39E8CA2B33617061D163B4FBC2E943F8639665CCCB4B79F5004918F4197AFF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:09.251{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50618-false10.0.1.12-8089- 23542300x800000000000000085185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:12.976{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED8076F5CDD364587714E7CC3330C14,SHA256=7392DBA2DC34661D09EE00BE14443CF3C517C9F877E44DCBA38BC6A462FE15DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:12.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2109D161EF7405822E0FC3BEFB4424B,SHA256=6D5AF606FA0F3BD77EA0479D364C8AEB0BC93D439BF5D644451E9A110889CFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:13.977{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D484DD746FED5CD810EC2FDAED102E5E,SHA256=03903ACAF924E06BE29A527A6BE4EE33305F0ECD695A46044D68037D1F512926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:13.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813707214FB47B0BA1C45C4BF4617436,SHA256=7A76798285BC4AB795489147CFF3903E3A287E7804BA1A97BDB2963AB3F8B100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:13.653{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-071MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:10.657{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50619-false10.0.1.12-8000- 23542300x800000000000000085190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:14.992{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C159C5619420C3DCE4984CD5A272D2D1,SHA256=64E9CEEDE1B5F49A3084FEB8F739A75EC3F7DAB81E23334CEECF57E5B155AE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:14.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC274B91DC6C9F7A9554A41A721DAF7B,SHA256=77BA69D8DCBCEFDA81AE3847F89A5EAB8618B4F53402C493D3E45726085BFD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:14.666{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:15.994{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9ED0B0F0A623B3BEB6E2E30932D7749,SHA256=76945F96C5A9CB30B5BB0FE4704DC9A011DB7D30651F1095E85C8B55C85D4D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:15.610{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF69D01AE5D15A1BFAAF98D18F2880A,SHA256=0D0B91AD83F95D5781856C463C0670A09D55C4622F477547D31E0ECC0A619D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:16.611{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE8B095FB3645DE48043B15EEC93FA3,SHA256=86E9E63C7688FE041BD0B1ABBFBC1DD7EBD169493BBFF7879BE96C9B05B29D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:15.639{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56131-false10.0.1.12-8000- 23542300x8000000000000000105588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:17.611{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0206A4CB2DCFB9C68FF41915A4851C7A,SHA256=94730F1AD0AA087E13B4BB00C102F3F30F72712AD7C20F2FFAD1FE2546152B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:17.008{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF34277A8961A373270B885A12ACB9A3,SHA256=B2B1CBF781142E4DC32C502BE2FD70D6E75F3B25FB66EB6A39C21984B847B533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:18.611{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0146028BE806704625DB46C9769EF7C,SHA256=01A6627EC164443A688594B674C9BA106656A0C6E5F13B8C077028A2E3D694A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:16.658{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50620-false10.0.1.12-8000- 23542300x800000000000000085193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:18.039{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E813437EBF2B14B66605D8243B99F56,SHA256=FA431B3C506CDCD2890F2D242C1D52E7E6014D9CE8495C40873BE3A9223FCD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:19.611{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0BA122085BAD612E2793112E11458F,SHA256=14B44499196A14FAAC8A60F20A459BFF70FFE2C553339D0152B449B2CCB0F81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:19.118{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313E244A3F1888008AAB977D165B0C25,SHA256=588141267C3399D12D0D2B440FC7DC3F85122F190CA0F04C14ADFAFAE37129CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:20.133{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C31AFB6C78D63B42E7756875AFD8B3,SHA256=1DF7B3AEC8F216D7E3797DFE5908C5920009440F657F735388BFFE326FA7A7F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:20.376{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000085197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:21.149{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFDE2FBB79EA8D654D2F09DE2B5B80C,SHA256=DBD8D11FE0474E5EB76BF8544CABE56A2D09E4713AAD1E54FE4975B4B92026BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:21.236{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DAFBCD9EC5B855F529BC8972602AE9,SHA256=BC705A052C6750FBDB16B70707300B12A7FE16CA8CCF5B5990ABFB8A30F98939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:22.164{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FAA2FA9ED1A7710D4698C95B09FB9F,SHA256=255628188CBD7C327CEF1E774E0B706BC191D561769E3DC2E1314E2E80486BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:22.236{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E8BDC01D19802CDC020E515D55C8B3,SHA256=557CE000DE51EA097C74686573B18061E1C549F9A1FB52CA78543261160A12DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:21.668{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56132-false10.0.1.12-8000- 23542300x8000000000000000105623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:23.235{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC3A8183E91B08DC09CC3EA1984DEEB,SHA256=E4FB0456ECC316D7304FAF22C3D8571C31E079226C07D9FB73773DAC964ED1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:23.180{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AE643956450EC6F7C62267654B3455,SHA256=1A259C6DA6B29BEFC88C86BF830A965F7A8E8CD9730F7A053DBF674D4C077C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:23.133{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=185B6F88880D4C5B8B325F7FAF2BFECE,SHA256=3CCBEEE919A0F24F3C850AC2585329DB564DD36BD4BF29672D6B09DEFF33B5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:24.196{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E09599672672DC326C2C963ED3157B9,SHA256=F13AC18B9FEEC82FE2AED96F39E53DAB641C05520472590984BE8AAA8B6B172E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:24.251{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCD2C8BA4B12309FBF4E05EB74D7056,SHA256=781FC6B50BAB27267EA3A54AD07225A91947493B18CDA834D9F2BCC9D01871D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:25.211{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2E442DB5D86F0A2A92E68D2BD3F1B2,SHA256=404EB31512D21358B12D6FE7CE8DDBC76B603890F678F9A929AC6721028D9903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:25.314{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:25.251{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35026AF3BE2104A708947F459F46637C,SHA256=A64AA1BCE9C27F41CB770F22C41E382D89A16DBAB25C409A70C8DB3C1C6E8FEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:22.627{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50621-false10.0.1.12-8000- 23542300x8000000000000000105626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:25.142{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=216938073CEB6EC91E34FFED3D02B62B,SHA256=8A949E1AB99C0E01C57BAAEC8551BDA97B9093C9CD57DEBC8450219449B046EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:26.227{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA34D00166B536EBD1989B6F009F704,SHA256=0337127DBE5F401070DDD78C8E510796ADF0ACA8120BEAFF2D262BC0597EC026,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:24.793{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56133-false10.0.1.12-8089- 23542300x8000000000000000105629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:26.267{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2227D1B6EF95B1428794F620155EC97D,SHA256=BEE2DFF344D52D1069EAEDCD22479C7B3E9D3781FB8B7F847B0E420427A04F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:27.267{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A164BBD98410514F632E09ABCF4031,SHA256=BCB49D93FC373892825668108560DA28A530EE6CCF91E169A5E49DD8B2F6058F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:27.242{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7B0F2EAF78C3D9B4EA11E3E21B3557,SHA256=79F188873CC170CBB41307DD98BFF57B5E4DA3177620DFA587581BD3D2EB02B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:28.258{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C16149C65A396E66918B5772AD6621,SHA256=BDBE10BC810234F56D2F89CDC26A3DC9BA0D6D7901D6161520447A3AAAD51570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:28.272{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17719A8A6D5FB32879D8EF5F0496468,SHA256=E345A3D7540DF787EDA22EB101C61AE161FFBB46E4A9B10E96BADE36052A90A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:28.270{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-071MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:29.274{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120308A9EFF121B6FE318AA81EF1B515,SHA256=111B3C2C61B44E2E134F507557AB7C484875A69F6414AA0888E8F607822C9734,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:27.670{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56134-false10.0.1.12-8000- 23542300x8000000000000000105635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:29.285{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219DE8A9E4B37BAF4DDAF4CA3CCA70BC,SHA256=F9F0925BA17E410149C15A4085B718233232962BA81E0F4227E0EE2ABED3EB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:29.284{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000085209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:27.799{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50622-false10.0.1.12-8000- 23542300x800000000000000085208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:30.289{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585BD3444305461CA918190350924C98,SHA256=7BFD8CF2D8C407D7AD709E2E76BC979FA8A9583162AB13BB9D3D799B8EDC5767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:30.299{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFD5D5FA717BD8C182BE5BF1B7466F5,SHA256=DEFC03C95837E0BA879691FACE2B488A22D13114D16DC5FBF6740118EA02FB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:31.299{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394C571CF0613E3BF3734264FD30EBEE,SHA256=A9A38EF9351F4E0760F824EF51F9802BEFDC2CB971F18097C6F0DFDEADD6B8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:31.289{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B217E01586E32310603DA3BF4F443CBF,SHA256=E36F3DF00E721E6DCBA5D71877F1D9D0AD747C7BD145022013188FADDE450B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:32.305{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C503A291BC09B1FA7DF6FB404026E7B,SHA256=FB5BE180DE662B2CFBE6E503D1622522BDF4C9641BD0A1866C257D33C31CCB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:32.299{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E095EC12EA5F8784E558347EED487B10,SHA256=9AAB9551D5E446B7478E7BC0CE260C21C8BDBDA6723C7287C6A01AFDC6B21927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:17:33.299{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D114333331463A156CCFFB032EC54F0,SHA256=EB0134BFB6BDD5629301BAD4FAB34E4C917AC6F774A793C390BD32FA31E5E12A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.320{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED71E21971D4FB46C300FD473F8B283,SHA256=E9EEB7739000C7722C6638876391508464C10168AA49CB3E1D43A98B8070212B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000085224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-D09D-616F-9D02-000000000602}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-D09D-616F-9D02-000000000602}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000085213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.164{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-D09D-616F-9D02-000000000602}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000085212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:33.166{6F8252D3-D09D-616F-9D02-000000000602}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000085227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:34.180{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F33873E0A0DD0741E64E19AE8B04B573,SHA256=33C7319284634379DB541E9EC4671DBF33A9669D3F5392C623F05EE2E55C1847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000085226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:17:34.180{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F5883AFCB84C367BE4CDAFBCAD276EE,SHA256=2495CDEE5718381FA0B5348DD5890B7A761E475B030280FEEC31B9654BB58605,IMPHASH=00000000000000000000000000000000falsetrue