23542300x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.738{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B72D1B55DAEBFEDD590774AFBF52D,SHA256=2E0D73C038613D5BFD1916EE12AA2DCCB10E35F2C6A3CC53056CF65948E94EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.738{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68B2086ABC5D0FB54FCE9AB1C61D920,SHA256=59A5B85F905A5BADAB49790496CBAF77E0860EC71746B8056A63AEC0FF9679FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:35.400{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D23C3B49B7B63AB623CEC06347641F7,SHA256=398401A8EAC173B3BDF4430507EFBDEBB4BCAA669681E8887CC785F87E766EFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.442{6F8252D3-CE47-616F-5902-000000000602}10002992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.209{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.926{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.754{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5EDAA290A0F911ABE3FC28A75F67B2,SHA256=88FF3A2A9BE271412CE6AB1B6823324783CB9D88455C5C8B791D06C2A34BBB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:36.419{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135C40982BCEBC031FC3E8D71D7660A9,SHA256=07E0FB282E3814520077ADA109499DAEBF59A4C3A882B2959F7880407525E5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:34.671{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50509-false10.0.1.12-8000- 10341000x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.942{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:37.419{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E489E60631C15C713C40EEC957529826,SHA256=D4179DD2C9660CB2E0B96C0EA44EF97BA138AE07FE81D46CF7FA74EE6F87E208,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.754{6F8252D3-CE49-616F-5B02-000000000602}11683024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.426{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.160{6F8252D3-CE48-616F-5A02-000000000602}37841556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:38.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7F28C31CABB680093989C945FB8CB9,SHA256=A256BE621B265A5AD7B9840E8D50F9AECB95142945E4A48995ECFE5BB0C2B465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98295537066EB346182B41D9BA309186,SHA256=73C38F4B432C29CAD763CAA55C4199BAE5C1F871E66531E19F5ECFFB413C66F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8082889414DF4280EA9D8CED92EDE29F,SHA256=11091671BBF8E7B6BE074718A9AF1B2F2DA3EA8C4B8257822B000D103CFA2DC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.160{6F8252D3-CE49-616F-5C02-000000000602}28483652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:35.525{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55985-false10.0.1.12-8000- 23542300x8000000000000000102173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:39.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B415AAE147560146A6E7DA77B26786A2,SHA256=EEC203A688999B33D56681194B2A9F106C1FE4F91420046FECDEAE0C180D719B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.645{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.175{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5A04B82A7C36492653C3F92AB2604,SHA256=48E3F378308B895E0ACB5D4F90D2DCEF54E703A6BBCF88BDCABB02434A0C0721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.175{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E408FB267434D6A006ED45F50C8F6B8,SHA256=7FE5C2DB9107514E2FA583B4DC1D322948427D118411C6027445562FFDC54B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:40.675{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B27EE74885E22D9521A6C7BA56D1C4,SHA256=47CA0D25E52F4FCF561FEF1730A877B59B19D61757D033BB2164A9B35DFA7D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:40.269{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4669AE8826AE9A2D56E0E3EC08A3E8,SHA256=A0FB42674CD74B05D619A22C3677DE0927EE0746076A45325E121C22D63B2124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:40.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20DC963443CDFBB7435CAC281906E9,SHA256=488A3420EF753C4AFFC8D46D0A1066259E75BFBE07378071F963FE6B9920E296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:41.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD2272CB67A3745C1B17CA9977CE48D,SHA256=EE642AFEBA67BA0E6E8EC833893F5D31228AF6BC55C61166BFAA4F3FC22F25A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.810{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50510-false10.0.1.12-8000- 23542300x800000000000000083553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:41.363{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF62C59A58B3F4FB0BDF09EA72418490,SHA256=8E58A0B1D91288EE079F33DB5F30A32B0A506742350A84485B770D7B8F582B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:42.379{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEA466715E1422BF146BBFB24517C43,SHA256=7AE69D6D241179DD737041B121781E9859172B9697B73A60DA4666861A631FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:42.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CCA1BA1A6C11883F7DAFE5977E847E,SHA256=1A6899586274E42ECDE0917B0590282C644E3B59F9822C3B6F25ED1EACD38C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:43.394{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303DD25E2CC17FFCFAC7254EE3DD3DE6,SHA256=6364F4EF6AFBE66F88FC4C3989CEED08342D39025CC1D23225B3378AD80ACF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:43.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C959AABDD2AC6C4D3771296A3D938C93,SHA256=FA47F6DAC3E725426BEB1E45334E3CA685D8F72BF29148707C7B54DB39F4B00A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:40.713{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55986-false10.0.1.12-8000- 23542300x800000000000000083557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:44.425{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B13FCFA939268ECC736CE0A6079CA9F,SHA256=728C85A93220D8BC98696A809221E1DE79AB11462121E07523F30CF27E7A298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:44.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0EB4E6238C47BF092952D2F92D3B04,SHA256=3A39AB7168204B2E8DC60D33EE3517191DCF7092C9BD896638A15D6F8B417251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:45.519{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422E29F23DC0F0FF16B46A2B705BB0A9,SHA256=83D002A3412B1365C59703DEF86033126B592469E4E57B94766221FB0180F592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:45.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A900A9B916854F143B769BE7DB7E0,SHA256=6963BFE64B8411B5D43717D10D0816E3AABD02207DA01865EDCE705BD47CC53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:46.628{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017C29EB33F549DABB821BC14798246,SHA256=8653DCD5AEDFC53F2B7CBD2C07FA73A6FDEEAF8B66122497B722DFAD7F801A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:46.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BDA51AE290C14E882F0A3F727AED3F,SHA256=13DCB5231AFB3EB8B3487415AD75D63F60A7E993AFE16CD1C987667384C97135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:47.644{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E97BB8B3613BF62EDE416A30E2C39B9,SHA256=75418CF9700F0478D448948DCF88512B290B16E1D2403452B459E528AEE7A03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:47.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F8B990821EC452C4CBAE92A5CDE912,SHA256=1F7487759E8E8FE8FE67D3A572CB6AF358A3404ED36B9A5805DC28F3C08265C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:48.660{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A647E868751748221848E078619CF17D,SHA256=F2AADC1766033AA7810B965A28784B5867F31C9E41728C5C1282614531D204D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:48.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4176B871DE7A646E989C31C24469A3D9,SHA256=4D926E54A4E5AB66124F690E904BA62BCBD00A81850823A53DB434042792E8FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:45.638{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50511-false10.0.1.12-8000- 23542300x800000000000000083563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:49.816{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8609D7805A8AB15FE7825D52FEE56089,SHA256=D8E315E444636DE0E671B19B005F7F48E0664B12486996912A44A38F41BF38BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.795{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0165AA5BC51260AE0CEE610000F1C3,SHA256=C10D4A65AD8C4A8B079F9F7818723CC6E59141A282189D7BB90F7407863F5C5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:46.603{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55987-false10.0.1.12-8000- 23542300x800000000000000083564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:50.956{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6FC1A380B1F554FE1DF17F49774DE0,SHA256=20845250B4F286B28FD5B6C8FCFA53EB36C09631AFB79FD26DD3DB25D716FD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B69BE4D8E31A9E73FBAA6204C003D0E,SHA256=4FBA27469B112BAF7F355FD8C1D54D19702A68736C12B3F8C5DA20BA715AE4D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.967{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.295{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.013{8D4DD44E-CE55-616F-8702-000000000502}46642172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:51.972{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1348D85EB6AB5AA56E03B93923BC9BAE,SHA256=9FFC297CFB57F991C9D055DC70C32923B279CB7C7E04558FBB1CF28C4A33A106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.982{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E9C990E01C3ED134F6F4CFA29C9EC8,SHA256=5C13652D6CFEC70FF25DFDA79A0A9B04D0DA42B23743804AC1D7FAD2C59AE289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.966{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D2FA54E42B5A6951369E032E02CBCA,SHA256=C21DB86582254825F2284697A9F211C4C9E623568083E1B4C5908025F5867385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D2FA54E42B5A6951369E032E02CBCA,SHA256=C21DB86582254825F2284697A9F211C4C9E623568083E1B4C5908025F5867385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539E8D49D0B95254F9C33A14ABB9F54B,SHA256=B0DDA5D64B2F3A9C7F99E49E1F9A6934D590570E37DC0767C9E9873A5A49DFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:52.988{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBE51F1370DA34B25E8C6964D6A563C,SHA256=784324C51FE1941739A54EB0C0AF3B6A30D3541E544CB7C1E5B820DF0FDF6C29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.983{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.416{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55988-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.416{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55988-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000083567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:50.685{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50512-false10.0.1.12-8000- 10341000x8000000000000000102261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.825{8D4DD44E-CE59-616F-8B02-000000000502}1552332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.169{8D4DD44E-CE58-616F-8A02-000000000502}19325028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.014{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5387DB01E17AF4031B86B23A5E86C78,SHA256=E76A79985F748A90FF83A6242A772B15D2293B02985AE794E8F089F6BCB09934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.697{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55989-false10.0.1.12-8000- 10341000x8000000000000000102277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.466{8D4DD44E-CE5A-616F-8C02-000000000502}26604740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.326{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=410BF2B034A9C5DAB9FB8B05A7E3FB18,SHA256=B21D1534F6781665EC9DBF3C7E65EF06BCBD1DA7AB542ABBFD1C0FCF663E9D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.044{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6663EA88575027D6B72717F152476A5B,SHA256=81305189BB3B5D79DF0A581697C9E0F58EBBEAFC37BB34AA5DE7CFFD22C931A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:54.003{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58EC3A3CF7964D42D736E8127D567EF,SHA256=C48ED2F8822984E6B219A73B0399B10B33702105264760EE838D27FB308177BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:55.019{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA197FD4F4304997C3F8E282B10119B2,SHA256=C7E902B15C0A45F8A04F140B1B8F9FD3F38BFEEE46A393305DEAD9A6B9A7F09A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.561{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0542AD7128CBD608F36DFA52CB67CD7,SHA256=238373E36C8A2691DFE907617593653F6CF0B6C94C348EB588285A9270A1790E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.107{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E52E718E4998FD331FE1D334320796,SHA256=B67D5058D2722B8AC525CFB917775724AB10560D0D7CECEAF0FB58813FF7F24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:56.024{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3856AC24DAAD845159586F95BCD4D82,SHA256=F38BC2D3D6639AF98DBA9EC61BD60FCF167C73F524F89820C094B907A93470DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:56.799{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C208D75DD9647E30DE720DAEA1731D6,SHA256=08FE9C29E1C6824D6D01FD2788C830A7162E447A0D6CBBF61360FCF2D049855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:56.158{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D7C6D62A1E6CA46A820EC0D7627A2E,SHA256=5621EA99CBAC2B030838AA8D3EA6E4FB39D48FA2EA1EAC3E8EC43137CA4CE5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:57.040{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1EAE82A62A00609947ACB01D7FACD,SHA256=5086C29BC943094BDCF0FCFD735FA89EBE8DDAF7CDE029618A16F007E79C3713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:57.174{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE97949430A9A9A610D6E4907A29B5,SHA256=A1EEF709550A4049B71DA142CAFA7ACB3DA193EC33174BEF2DB59803911BB48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:58.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5868DFD5A23130EF8E7472D900DF6B1,SHA256=A9BAE50DD24E38292510B2B14758F4C5D45DEE2D5E44D2588B63BDAAAD495916,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:55.721{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50513-false10.0.1.12-8000- 23542300x800000000000000083572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:58.055{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BA2A09AD1D056EDA39EC6FADB5AC76,SHA256=C348E2E769A508043B8C8B00A173A838578311B430C8C88CBC256D6D112DC432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:57.531{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55990-false10.0.1.12-8000- 23542300x8000000000000000102298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:59.346{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295414E12DD116DC285DD7C48B6D797D,SHA256=49D641EAC2CBF0A76E66EB97C8CD5BBEA5EAD5508AC518453DBCADD2DB90C90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:59.949{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-062MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:59.071{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EC13511F6C499EB40E3355A708D103,SHA256=D8EFD27F204C2799ABB7C40E2A95B4552194C85647A6C118B5A42BEC785C2E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:00.964{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:00.072{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59974489F116C58082CD0FAFCE4300CA,SHA256=D690BD292CF29E6251DDBCF6500CDF297D8AC872CA48067926AAC5AE7658FDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:00.393{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9316462B422A12141FBCB453A0E93E44,SHA256=FB823FD95D1D7AC1F8C64766E27245312CAC945BB2B714D4FA84FE0E19E7472E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:01.086{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158C69001AA1A4F5ED4C68B485BF32D,SHA256=FBC551CD75F9B7CCB2687E4840A0EDC3CFA9445BC6F44F58DBE1C97983DC58DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:01.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DD54C660C51EBE675867E24CAB6A78,SHA256=3B3889B47D6C83BC28BB723E469C3E4A9566AF5B3A0334970EC8A0B104755296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:02.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950009B2DE2E6F439BB3239B5C097B8C,SHA256=A8653292470780646E9700C4F81E9726BF1F9FAF203CED3F062C7B4E6FA9C3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:02.089{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F561B2B6B5CFC90DD77DD44CD15209,SHA256=4E42B0214F7F830CFA65E0200F762524757C3555D1BFA8E5D0C3666212C63D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:03.471{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24385DDDFC4634454F0AC2C500364B52,SHA256=66F45040053D2941C4918FF12F6EEBAF362A5E40D2FD4FF29D65829F0EAA7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:03.104{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8092FDA4A103DC3D1BC74C6F5503064,SHA256=F9A50C2869BEE125704F9746F24908C3E60A26488A174F5D1800BBD2A60850B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:01.676{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50514-false10.0.1.12-8000- 23542300x800000000000000083581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:04.120{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB3877A93379B03A41121621DE7E98B,SHA256=B3BB220F040F50E29B8BC864BC097CFC2B8B9DFF958E32232D97DD8E4BBBFBF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:02.656{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55991-false10.0.1.12-8000- 23542300x8000000000000000102304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:04.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008861B32F647E37006BBAD8FC9F4323,SHA256=43FBF96541F80C0CDBFB42D117416829255870CD60C59FE8049A8D055414E3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:05.136{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE15CD2A628FBA6391C4B44AF2B1A73,SHA256=2D7B97DF3A908E65CF66359F12780FB3147DAA76A4CBF625B6122B4EB8C76B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:05.502{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034FED3B20B1F7874FCABCB8031D5983,SHA256=556E8A37E45DBE3B2F84EE41166C546D6EA0A85474E9096CA96E70DFE2AB7F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:06.518{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825202F7730F67D3BA306E5EF95F786C,SHA256=5A82192FBABEA89751BD58BC92A96BC53D46D3AE8DA36D7A89406EF915AC56B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:06.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67519A53AF11615A3374EC590C3D76E,SHA256=91D5D3D70823E6E17AB7CF6E8414DEBDE3593D558E700A25B2A4990A08976EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:07.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86477C39E75EF71202F327CECAD3368F,SHA256=90E247122134CC330501A0A3C32D2782B98DF91A68607AD39DE3723721B39AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:07.167{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3191AF859BAA2731A42EBC4EEB700B5F,SHA256=167EBA6CDC2A4FA9E9D0E2751B7D441FA0A76121D1550890708056352980AD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:08.182{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC300DAE80D154A0C0101AA85EA8FAF,SHA256=BEF858911814B46120178B860F7555004FAD9AAA2A7D07589A3788EE6E1E01A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40451548950A4A25CBAE648F0493562E,SHA256=A8995D68AF3EEDB2EA57CD9B214676BDEF480E3A3EE6A143AC768DCB2B3E0801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.510{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.198{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04031BE41FFB1B892C6345C7C614A3B3,SHA256=D8541CCAF96EABC48856FB4D2AAAB5D044C82F1910BE73C294F3ADC59C558067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:09.534{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA950C838F7CB287210A1998979E19DC,SHA256=1C428E4E5DA9F08F4685A03F954D2C16A3830E047CEF4BF89C0CBC3A9EDA0D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:10.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428A512A39B1F82F8C0093956756031A,SHA256=F0196DBFDBA7C2FD2773FAA0B88AF12EAB87B5754EB1063A08A2EE89D601E1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:10.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2D4C3611983F2EBE1B78F9C555534F,SHA256=633C6DD66B3CA46F25D107FCE45728C67A0CEF287C28DA6283B3A1C819B0FE4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:07.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50515-false10.0.1.12-8000- 354300x8000000000000000102313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.515{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55992-false10.0.1.12-8000- 354300x8000000000000000102312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.144{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-185.attackrange.local138netbios-dgm 354300x8000000000000000102311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.144{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000102315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:11.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B822987ED38C3D3D4F8EAB88AABC5D1,SHA256=AA105A47B6341B4C8E8F53DE6EBD19287B08455EE22D14125E95C928305AE1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:11.229{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDE6207F25D596FED3B1EEDB4BB24BC,SHA256=521ADAD74590A5C8FDC672ABD8B4813DF7740F0CFE5E94C727B73C93E47EC6E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.051{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50516-false10.0.1.12-8089- 23542300x800000000000000083593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:12.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C311041D95F16610F4F5655865D09760,SHA256=1A76C0759EE70842E484F3F9D959598D802F1CBEB9446F8BCF63BAAC752B4D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:12.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4860F5058439EC016EF7DAD7EB2FCF53,SHA256=474D6B3F78AC7DEAC244E014AE8B9CA5DC156F48DFDA496A0A5FF21B5B13BCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:13.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BB53BEC2922BE737954A93474F162A,SHA256=E960E9C30D8B7DA175B64C24D814117D71855611EBFCDFB91CE90D8FE95C1F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:13.565{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802BFA2AB9A3D397DE25B54913FD028,SHA256=10393282964BB5320484D599D7FDF473AC9128C259626205AEAE8B55471534EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.582{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6A3483FB28860EDAF99A585D2AA5A7,SHA256=A261ECB3AB875FCE48689A0AD4AA6C43A808253F3C0AF7E87A74EBCE537696B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:14.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE1737095C1968F183995A3DC2D20B,SHA256=A9F03CE9459EF35D3A58603E5F28DBA97FFF10476847F6EA81310625ED210D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.507{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-062MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:15.595{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCAF0146FAFC8BE2CD8FCCF6DEEC263,SHA256=D57D08FCA5CF8F0AF8DACB5D0799403A8DF230B080A65B3B9CCEA41BE767D466,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:15.595{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c589-0xa25db7ac) 23542300x800000000000000083596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:15.276{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5863550AA33B77CC3407D361B286AB,SHA256=24CB08D3BECC68BF394C0DECDA66D88BE370D2AEE5A0F658C3CFAD2E93CFDB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:15.505{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:13.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50517-false10.0.1.12-8000- 23542300x800000000000000083597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:16.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1C1D26BC37086F03B52EAFDA99FDEC,SHA256=6014D37C59FA6116579FDCA96B84E63EF81169909D5DA6E15E2D02AAB4AAFFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.486{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55993-false10.0.1.12-8000- 23542300x8000000000000000102323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:16.595{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D36ADA3931E5E9B6141609E42173779,SHA256=EA2FF400CDD1648BAF2C26B6E26CFC907127F3C05EFB48CD8AB019ECC77550C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:17.302{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386D60406165E548BB9E3A9A75E3B9A7,SHA256=22C6BA7B17EC0C845E7730457B3CB0FE20C0E4E3F48912A1B07F655C7FFD29A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:17.596{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF48A7080A3BB56A1BF9EC0037DB8C1,SHA256=5BD5AEBFDFDF4E7741AD8DBA3C5DF7213B744C6F2ECC263243C48E151C7EF116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:18.627{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C65B9D320BA911D2F08C2C75B0D84BD,SHA256=36341D2805D17954220BA39C6EDD76E62CD1E0F01A245B84BE0056C9D4DF1F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:18.318{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA72EDF87A0584597965E0FCC777269A,SHA256=9A88DE07C68A1479E9AB42D51FCE281772356405A2B274A101151F396DCE337F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:19.736{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11D2D172EE21749B010890B9CD18E2D,SHA256=B1F4A3770884699304144EA868D135AE7B9D6A661DC97DFD97DCC8689EFBDD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:19.333{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05650893CCFF60A68B12D938C9593B0,SHA256=59A2B6AD7611FA07B1983493BA3AA2BC506257269D624E8864772A3311B7E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:20.783{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58D847276795003FE92182693968F21,SHA256=BE0674E7089BBB0E86599A29C72E52A87699D558470FCEF22CE6B45715315BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:20.349{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296A19C5865210613584F86AA7FDB1DF,SHA256=4EAB68415661AA5BCF0F37608A3E3AFB0E4E6C9FFDD2602E13860CDF4AB19A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:19.671{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50518-false10.0.1.12-8000- 23542300x800000000000000083603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:21.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90217759CD8C556B4F9E120F3D08668,SHA256=413FC7E7CE5E0349EC2D84AA82DC41A71AD77CC6F011D09D86730437A7AB0112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:21.799{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF4EAADB4181B4C0FCB7F62D40E8104,SHA256=D23B886A05AED15481F8BF97A5497CD5E31C1B3C47D7002469CBCEC17B4BC09A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:19.609{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55994-false10.0.1.12-8000- 23542300x8000000000000000102330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:22.814{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB737B648774CBE88796F833924857C,SHA256=7EF3283C88084097E4504082074BDB267C37920424113B3FCCED1A3FD7D66B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:22.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86CBA975BA5642F08E784CC27D22FDF,SHA256=0C8F2D3F3A8AB8266DC0910DCBF6CA44E689C27E99C2BFD2B571040BBDDBB78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:23.845{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27367ABA0277EB2A81DB9AD46030CAA,SHA256=EE6BD08ECC2CFE5173311C0EFAD411B2969024E4BC58E011A8691D5043986538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:23.380{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EB3B5DDBD61DB3CBC0FDA974A86431,SHA256=D9985041D09FD3E85F33C5C1D1F531170BE38A9079F33442F0EE8783E9DBCE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:23.067{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FE0602D19E954A218AFB6C3298940DC3,SHA256=4E122A3A47EB4AA8ED7E945E97E78D790CF9494B60D96F0DB82DC6E00440EA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:24.846{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1B7D8D1D577B2CA2CD056B61EC4AC7,SHA256=41EBE274194D77B128F5C7BDD4CAF68725A64120088C912368FE8B51A834F836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:24.395{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD654091E322AD717BD608F58D21A2E3,SHA256=E16442739A1271799432362739685B3C1B6F1EA2C4B04CE63B03578F6EB304E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.861{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862AF87679FF3D64C608DBA9B02662F3,SHA256=1EF6DF9778B09688B10BD25A5E4C765BE729992F2AAE7B958DC15E1106388CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:25.397{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3B13C4B4A63C2C6351EAF0AF6203B7,SHA256=8014644C17AAC074589507D427D85A6723893D6C07DECB5C8230C1673EA2A5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.127{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.111{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACEAB1F6AFBE67ADD1CD161FFE796E5B,SHA256=78351E825EC1D5A0CE9006DCDC208372A74765AA65E45D74AA93B23A9AC73892,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000083618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c2b80) 13241300x800000000000000083616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x45cc8f17) 13241300x800000000000000083615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa790f717) 13241300x800000000000000083614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x09555f17) 13241300x800000000000000083613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c2b80) 13241300x800000000000000083611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x45cc8f17) 13241300x800000000000000083610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa790f717) 13241300x800000000000000083609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x09555f17) 23542300x8000000000000000102348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:26.908{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74BCDCF7B4A493336F971B243EC6105,SHA256=02080A414420459BCE244460A5561089CCA3518BB4998CDE6981698CE729E5FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:24.593{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55995-false10.0.1.12-8089- 23542300x800000000000000083620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:26.412{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C127AA044DFB1E6174A5C392AF2322F,SHA256=F388CB31D21DB5C39CB08ACC28F9D5890CA14E19CCB5634A14424F6619B91194,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c43ac) 13241300x8000000000000000102344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x46a3f653) 13241300x8000000000000000102343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa8685e53) 13241300x8000000000000000102342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x0a2cc653) 13241300x8000000000000000102341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c43ac) 13241300x8000000000000000102339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x46a3f653) 13241300x8000000000000000102338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa8685e53) 13241300x8000000000000000102337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x0a2cc653) 23542300x8000000000000000102350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:27.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E3441E8888CAC907910BDB44D79F5A,SHA256=993B897AECB5C9590A4172E46EA0BBC49EFE311A0D5B2FC9DD3BB763BDB68FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:27.428{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820190C255961D6FC715ADD4052D6CCC,SHA256=4CC6D9F9280DAA5A2B3B1731E783145E564534C6881F86EDDE68873C5695FDD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.562{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55996-false10.0.1.12-8000- 23542300x8000000000000000102351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:28.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899978FB6621C734C323087641FD6FBF,SHA256=E4EB93766C7ADF6F009539484937C07DAB04E77CFDD318B7555D7CCB516CE306,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:25.656{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50519-false10.0.1.12-8000- 23542300x800000000000000083622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:28.444{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3322D807D5516DF510865FC914BFD885,SHA256=F7A7F26E8787B1D74B975D4E1CB04A3C15C5D46AF0C258CD833D43445E6D5710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:29.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6F72F5B573FEDB1F8D2E8E07517F7B,SHA256=96A12DE115AA294E798F6D4359B954CE8DE8C80B9DEBB18D1DB20A971EF4C4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:29.459{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F405DAA911C21E2CCE7EF71A2A4EA930,SHA256=BE67B83A1A973785F462E4A1681202E100A36B99086EAC6A5AD4EFF218B28871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:30.955{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AB6AB86F1F2A117AA8FF8F1F2736B5,SHA256=76AE08D6FCED7D6AA468986F77D4EDCC198ED11E01F0965489A9A5E9329BF46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:30.475{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6D545A56FB33FD39C290BED54FAD38,SHA256=6B311A7787C9B6DEE7AC2BC8E209ECF1054933E4E3C29220FD9C07376E5F2CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:31.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABAE1AA8EFFDC3118C0D60ECD4C0B56,SHA256=446E892CF8EED009C863C4BBD2B7CA2D99B5F198F3DDEFC874A45BD07CB6F87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:32.506{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30B4ABAB747FE5D6D2CD39897045FD4,SHA256=55786275D124795A52168DF72CDE05D269DD0836E1CBB8927BDB973633205FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:32.142{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38499B2BC79CDFF025F4B5C3F48EA60F,SHA256=98134B0D3B5C9821DA8438260C6A655FDF2EE659BB9931B494E5CE701C5B726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.522{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0906C107DA5EE4DE37989B8833B32054,SHA256=6D07A12A92FDB3D31235B289739F680A8A9A0F6FDF29A7A871B9CC67E6E6F8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:33.252{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F2E6B2807D22323F591535A578EDC5,SHA256=02E280DC2A01CA72245B78A72CCD4896AF7E21D3FFB3F3E6420F4802D08F83D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:31.625{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50520-false10.0.1.12-8000- 10341000x800000000000000083640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.366{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:30.672{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55997-false10.0.1.12-8000- 10341000x800000000000000083658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.600{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D32BCF6A0916937F6FE61824A018BCF,SHA256=981A850C28B98C853176AA46DF5D1BC5A4120C3668027E01285E93792E4E3B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:34.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88E011A9F008C691D9A4A81355B1B0C,SHA256=079B706E414784B1C2CB35939E7608F728E2DBD3FE21F918B9442D124E785250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399E75FB303E09823DCE6B3F01B560A8,SHA256=7E9A24B6E10A67CF1291D0B22FBD8C85834EF1FC38D67FB5B8B5A586850ECE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED887438C2C8081D3990EBD9F20EAA0,SHA256=BC9F9147E5BE87912C686EA571D1555E5B7D3019C83C2084F32EE3BCD09A24FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:35.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309D13034D4BB66CBE9134B5EA027D91,SHA256=EB5003AB866B998322AB539A8BD5EAD9FD7AA42AE154D6CDD93C74BC407F6632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.226{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.006{6F8252D3-CE82-616F-5F02-000000000602}37481312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:36.332{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5215A21767C358E255ECA69CCE913E3,SHA256=89B1367DCBFF3B962D2A17EAC135292272139499F6F5D6519C547E6C04353E27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.949{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399E75FB303E09823DCE6B3F01B560A8,SHA256=7E9A24B6E10A67CF1291D0B22FBD8C85834EF1FC38D67FB5B8B5A586850ECE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7FA7DFA42DB4DA5EFEA63DC4744A7F,SHA256=66F87E952B2DEA40426E6815E9AB383F8690CF425B6BCF73040C2B0EC1528F13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.745{6F8252D3-CE85-616F-6202-000000000602}7241144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B5911BD5CD283D4FADA1794216C8B,SHA256=1B817FDB54CC15589F885B8B1104A5A4DBC9BD1534AA1A8EA918C30BE84716E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:37.348{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7FA12CB7AB0FE2CD53D6B79060CA36,SHA256=647E7087647315E5AE4EB31D1019F45F3DD663C1657BFE9A6DFE1BF4B1D21937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.120{6F8252D3-CE84-616F-6102-000000000602}2932912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:38.348{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A76D92C5EF16251F332236C8B6B93B,SHA256=98CCFB7F1A6F00589B738DABB653FE1A070A7DA88A059E59461632C208DAFA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92BD4E75EEFA8D8FB1FF2B061E9C7A7,SHA256=328C5628989A229B201F988F692597B212040169A5FCA3C81D60E78523A38D13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.327{6F8252D3-CE86-616F-6302-000000000602}10322940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.042{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=759F0CED3BC28C3F516A94141134A303,SHA256=FF0EC3BA93052BB499F72084B70BADE6E7E81D7187D18BD2DE0337AF5DF12A62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.605{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.479{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296E41294303D483B6B1504157473A00,SHA256=8011320B3E4B9532431A05E7E726B808C3615FD2CD2C20AA5E42CC295013E77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:39.566{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9570B7ED768ED027B58BE91715A4160,SHA256=9E6D4F0F41B8BD4BC4710602740B7A600999634239D6138254685D9C4A765E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:36.596{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55998-false10.0.1.12-8000- 23542300x800000000000000083721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE55DB4C851223AF83CE3AA18711BF1,SHA256=43AFEAB8F95A4965A6912CAB422BCAC4DF743EECAE7B211401F5E541BD98CFB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.786{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50521-false10.0.1.12-8000- 23542300x800000000000000083737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:40.620{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B07ADA8E12A0519BAB8BB5FC8719F7,SHA256=60D9F14B29565FA7BB56BB6ED9AAF1D5A2D463601070FD41DAE90384F732D673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:40.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B81A1ACD97D95179528F7C3C878BAB,SHA256=11B76D44457F6994D65EA2A172AD502F8D38F0BED9F1F4100035E733AD9F2095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:40.583{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD83305A043EEAC898910DBA183DC05D,SHA256=C99222A6864D19C5AAF3668E59345CAB8E7175AB0B101DB2FB781F17A28147F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:41.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BF6F727A9F53A63FA98483BDECB0B3,SHA256=978DE52874105B9AF43A77217BBBD0A905172A365144EF0F96A9F9E83F7E6CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:41.584{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECB34BD8A3484BB78BEE1C7742684B2,SHA256=2EF6EB9E105D93891673420634E7E50149E02AC40FD3B879BA7BE85838573BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:42.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C62F691520A1145A6C4052D47D3B5B,SHA256=7CABC09A8C333A34475704F0023166B1AD6F8EF0C8EDCACD54F44E2DD2EA5328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:42.510{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59FD1257E8257CA8E542612E1048924,SHA256=5B218F4C7E3C8C71943C8017E88E8263F429719EC45E3B56C1361B1EA2948884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:43.526{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C4A0D3E8DF8198371A748C4BA20AFF,SHA256=658F5A0F25730282F74683A958960FC11956D9796D547871AA3C0A9DFC2EE107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:43.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F3CB7A578D09AF238447FBE31EF5BF,SHA256=15ADA5081C68E3E96DBF7D7C97B9712C5636B98E4E8B53304D6BFE41271E0C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:44.541{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A8FCC5080176C39D2D82FCB07C3E8F,SHA256=3FED87ABF3E76D35CD0D5CA17317CA9DF2C34759723AFC52AF0B66AF11262B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:44.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C586C6B0FAB3CB7A1E5F4FE98643A97,SHA256=4B702878E45F02E7A12B7EDC959963B9C55B9B6D6C3C7F1B76A224257631FFBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:42.723{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50522-false10.0.1.12-8000- 354300x8000000000000000102368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:42.550{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55999-false10.0.1.12-8000- 23542300x800000000000000083743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:45.557{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36F5343F1B57D68354BCFFCACCDDAC2,SHA256=CE856076D8DD54758FFA281BEEBCC31EAD00E6DAD61904A8773F2F491826EE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:45.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0EE67DE951BB8A9AA31EC3A53B13EF,SHA256=0FD85E6CEDAC2FE4596A8164237B48F6E300ABC2CF889E99660342882B0E8BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:46.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08315691B3ABD2F2C0C7B81B0A6D12C4,SHA256=C2E9C02093118C893CA9E2747C9B91B85CEFECD2B583CFC2950A825DFC43C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:46.573{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B8C4F1B0221114A471DDC2E43E3EFC,SHA256=3DAF989AAEA77AB4F9FE3CAF9133CE68D3606128A3E0A6D7A8EB2C08AD333AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:47.588{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261B6BF952B825E440008C2277A241D6,SHA256=D47947E48547D240A3B620CBF0ED86B04699DAED08084B739C5301BCC6D1CA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:47.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DDE114C00FD476A2B2A94201375B7,SHA256=FFE172252E8994F31164E649FE40D103D0702CD797DC2AF7EDDD6D7B64BDCB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:48.604{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB5CA7BCE57BB9AE3704EBB780C9482,SHA256=96B8F42BE962F88F8BCC8C662C262C334E4BF8213BE4B1CAB0270B8678C9C6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:48.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A501FB3DDE96A3EB020D4DEABB02C39,SHA256=F83F57FC758F60D08CB18434082EFE879F4705201A5853E759154F76FCA58BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:49.729{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEE3EA3B8C4BC4F0A7DF9EA940BAF25,SHA256=10DB0D1A575088AE08CB611FC7A381C0713AF9FC94B041CCBE8F2A43D30E73DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.803{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E2C90347E0273F0EAC94487936933,SHA256=F8939018E542141940E9B33E52E45901B9B3D8F2928427A259D5D9EFFDAC7C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:50.744{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008CE9C82A7530123633E9754F7EB761,SHA256=DF0635057D21D450923879BCE6397DC12FE705F9DC760A2B1782CBF0EF3C8D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.975{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:47.707{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56000-false10.0.1.12-8000- 10341000x8000000000000000102401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.303{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.021{8D4DD44E-CE91-616F-8E02-000000000502}46844852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C5BCE7FF4B843433103846BCA2949F,SHA256=0A10CB6F223014207EF2BE1A2E18055B775BAB4D7EEA04A451D530C82A417B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.880{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211066CA9CA0CA030B7EA1FF9D854022,SHA256=FC4AF0F5E7035E1AC9A8EB4E4E4D715780EC701C66BE78032157FDA445CAC90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:48.738{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50523-false10.0.1.12-8000- 23542300x800000000000000083749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:51.760{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1B80B46D4296A643955FD501A1E5F4,SHA256=22A2038CEB2ED5B42215DA6E029698F594934F0157EEA904FADB2B9D078492D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C5BCE7FF4B843433103846BCA2949F,SHA256=0A10CB6F223014207EF2BE1A2E18055B775BAB4D7EEA04A451D530C82A417B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E385D941C0495C98F4D4D7ED9892B7B,SHA256=77FC0054D233067E45372D74BC4BB5A48C914EDDD64817B9204779716D6F6336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2284468DEA81860A576BC1578942F9C5,SHA256=BDF0FB1757A0FC79FE290ED2920D9D9655D6CCD3B1E6932F483C6FCAC57C035D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.975{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.943{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9207A9E99C34F6CD8D60F5345A260E85,SHA256=19DE16E597C81846A6710421182B7AAE2A24CE7A7AEE87134D65F841827AAE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:52.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DE8A35E4EBF8E5363D5F2A8BA22026,SHA256=AB88C3828D755402FAAE87D06A50C81962C98CF4DE9945D88AE13EFDDEDDB8B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.426{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56001-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.426{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56001-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000083752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:53.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2880D9EFA2DDB9C6D08ABA0D05270086,SHA256=6D69FE12E9DCFAE0B17BCE7EAAF44051FDBFFE918358E836D62AC0C425081357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.974{8D4DD44E-CE95-616F-9202-000000000502}47965008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E89050291105ED2374EF837C0C3F90,SHA256=E45324949ADF84D188726E6A46A862465FB445949102F880BCA8DB61C433A448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.647{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.177{8D4DD44E-CE94-616F-9102-000000000502}50881924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:54.900{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB6D64749BF2BB4F330E45C5E875DCE,SHA256=EE818B3DFBD6274A33F514CA926725FB6783AF8887B30EBB93AE2C27B476D7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDCFEB2739904FB34E70F490BAC3A81,SHA256=8AB04B4C7B95290DED6A073ACFCABAEB375FABFB7FFA172DFDF395A7F20B4A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.443{8D4DD44E-CE96-616F-9302-000000000502}50922436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.443{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD73694E4B878E777C9AFC07A78AE5A0,SHA256=5BFF3FFCDBA34587FB6D14ED61508BE6254265B4B896B4AA3F7B5FF6371E142E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.147{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:55.936{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6A6972FC33F91B08F937CC2E2D9139,SHA256=93ECF86497C063A117EFF82962FB640C5BEE3C49998D202DCDBA60D62C439153,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.613{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56002-false10.0.1.12-8000- 10341000x8000000000000000102482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.162{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC0BEC948B0B01F8165CAEEAC19EC5C,SHA256=69702AA27AF4053D112E45E81199A0B6C65BEA9197FF8DFE3C34611F1791D6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:56.951{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70AF9D535619AE96E06B04E6D3B13BD,SHA256=998CEED1AD3ABF6514C90DA8E7A9BBDEDA80A417BD6E8D3758AB53E2333C0685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:56.773{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9CBA7752795EECBCC78D1BB8F932280,SHA256=6F40AE11BD798AB1ED8E0C5A4B23508E0F31EB523F986D3A54B2EDBA0398CE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:56.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423C926B39C29CF6D0F1742196414819,SHA256=F13046ABE718F9F887BCA5ED912E60E0776AAB3E24AD2767830375E7E70243F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:54.723{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50524-false10.0.1.12-8000- 23542300x8000000000000000102486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:57.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A98524115908E01C2230B8A7DE3C9E,SHA256=F9BDB4B2D662462889BA3981FCFF6DFE16C293374A5B5F7E18D91B9F269E753C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:58.030{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080AEA1F1FF442059E07FC74CF284AD3,SHA256=F1378B8A05BF348F072F9AA860412B8E2C09CDB197AB745ACE3C42FBA773C997,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000102489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x8000000000000000102488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 23542300x8000000000000000102487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4774C3B3A487FE3F41BCF4DADCAC7A,SHA256=D20E79E2356BA680631292F66DABC04DE315FFE84230D1B4B14190ECF9DCBE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:59.264{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E0717E0DDE23DC7720E94A6965471D,SHA256=B35965DD2755876BC939EE9BF94B713AA257B2C6A10B2F807C9C30923A1837ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:59.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BB6B1268D552A2119C25BB6DF762AF,SHA256=48B2EA2AA93556D50D869DF2BB15F9C48C018B8264C77DDAE637666DFC63A33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:00.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364ECB73065B302B2E3662BFFC810D85,SHA256=3AFA38E1247CC5C798A04BCDA8B91C6051221C3C2C9ACD677092A05EB4D55129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.482{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56005-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.482{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56005-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.475{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.475{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.461{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x8000000000000000102494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.461{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x8000000000000000102493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:00.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1F7D6337B973490A98A0108E628670,SHA256=1B6EC46234F3386AB8F9EA684BCB571822FC69C174034431B0E6C7E07E3B1029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:00.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FADC340855B0353764841BC47CACB47,SHA256=1E850F8F78EECDA195DC2D82955308F45BF64A7AD051E065D416684C11721CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:01.486{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-063MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:01.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D7EBC8DFDEA28C009B19126BFC6ECB,SHA256=33B38D714767D577EBDE9245A515DB9C6FA4C3E8D13BDE57CC5C8067180360B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:01.070{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704D6B6349A92B3A59523F3EF45FFFE4,SHA256=A782CDAFCBBBC581DBECB73B88FA892397D30A51CCC76213FAFDDC9C4AFD2DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:02.485{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DAA2EAF0273958484BE05A14F21468,SHA256=CB6C01501E28A215239CD54D6224C120B1D81B4F95E0F7E10265E528EB580659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:02.484{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:02.149{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8929E96CE1B8DC64FA364EB588F92C,SHA256=A8EBB283AFED84CF50C83BFD630D76B6994AC930A56B9BC1092B0C15CF5239C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:03.656{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C512ECCBFD837E3A32E5E35C1728D555,SHA256=B32A6FD09816B54FCCC188D1E2020FCFF022C4F5F1F5992644B4C337CCE71103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:03.320{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18B0DA6FB9EEF2D3E3AFB1DB3E495A3,SHA256=E015FCE50159B0BFF39EF692A7DD9B641E714A2E6BE294CEC6A6CFAA80975D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:00.711{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50525-false10.0.1.12-8000- 354300x8000000000000000102502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:59.569{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56006-false10.0.1.12-8000- 23542300x800000000000000083766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:04.781{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BAA10520358156669CD597C7698BAB,SHA256=DA80B68E2F716D6F8195E6559C5FA5101F22C9A51584981E100AB24E6E892522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:04.336{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899D27D5B18D0B9350092767524FE4A0,SHA256=926C5ACC0B84410123711C8A21D1D0FD74A00C34C9AFAB1CFB601F958FE8E234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:05.812{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B1EA6A4E6021E90A630A811D70F023,SHA256=AA3927760F7BABF6ADCB9C20F63AEC3C36052DADB94485C9F55D8F703B4D0ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:05.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C15DC73E5FC29BF7F259A79B4C4F1D,SHA256=899C36CDC4980A8030320E6CF90B029B3AA1BF22C519EEF09E5EA64A341D3314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:06.813{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5F293DA04AD8C8AD248ACD422A13A,SHA256=2A3AE20A0908E6425DC08FCD50C4AA4503A3B2FA15AE3E4EACBCF6C159922AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:06.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EE1A478C352229E6B2F5D03FD42EFA,SHA256=F23BA7130CC47FE5AE25B40B70E7CD31B2DCB1FDC55C2E8DB01DF16109A91D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:07.828{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6C13BA17D3C90445E0447C31C85585,SHA256=62E73051A0088B635F7B6387CB94E4520AE8DD1D617ACA2F81287E0BF6107E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:07.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87CC6544C5ECB0880F0887E60B680DC,SHA256=6B2E0C47958FBD899D2F4741C6A93E8085DB4282D2326951BF361D3F8C7A4EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:08.843{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBBF87861C2A7516EE9BC002915A76C,SHA256=244FC371E68E4590414CACF85A16F3836F4562955C099DAF1FF3AD24EF7F6AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:08.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6400D5A6A8F8542BE435D0C7D92CF5E7,SHA256=F736DA0496D1DAC8CE4284DD6F14DAB3260B6261FCE99BCF3D7B54096EB7F08C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:05.600{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56007-false10.0.1.12-8000- 23542300x800000000000000083773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.843{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5A1374A51778F7B735EE96349C76F7,SHA256=3FEFF2227F00A8C5564A4317C6DFA3974D8A55C7F6F246304049719BC0972746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:09.398{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917258BDFF28406B03B192B6454A1ADF,SHA256=588C2F7E899A3F3BAB0F092E57B2F05505DE981E124D3E2350FAC36B09FB3560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.531{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:06.665{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50526-false10.0.1.12-8000- 23542300x800000000000000083774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:10.890{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B36C6CCF1CDE5914BF9A5E59015F1BB,SHA256=F4C710DDE1CBA66911B151F17B4725F724087E75D6AAF719BEE567E0D91B016E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:10.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A3BACDDB402644752F8C04E58E1D19,SHA256=8D90BB9029549EC46298B4F26EF01451975162503DF41A2F687D7D34AFE7BAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:11.539{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5AAC1D5E93BCFFB60DAC351ED28970,SHA256=5B47B604B2CD7D284A91FCB7AF877DA74E82E8016D4D1BA863C8B1C17EF6B044,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.072{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50527-false10.0.1.12-8089- 23542300x8000000000000000102513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32ECFF04B83581CBE4D56D6B764AAB,SHA256=8A265FD66EF29BBC2FBCA41B9AB7CEB4EC34D9FB33BE04E6ED9990514AB8313B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:12.031{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF29004C6F26540E4281FA7C7934173,SHA256=4BA57334D9F394D6412FC5C623241ADE42DB5B3BC094F6311D8A8C0314AF139C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000102529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47FE4DBEE48595E41F7E03032CDBCC1,SHA256=12D5214FE366BB7C80C6390DD77D95ADAD920A4CB0AAD8F0D3B501EFE37A244A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:13.140{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0EBE4427D52186CFD50883E92FE0B5,SHA256=F80DF602C9A9B00D423134FB9246D2AA5180EDA44CD14DC849E4A20EE9AF9F9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Wi