23542300x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.738{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B72D1B55DAEBFEDD590774AFBF52D,SHA256=2E0D73C038613D5BFD1916EE12AA2DCCB10E35F2C6A3CC53056CF65948E94EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.738{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68B2086ABC5D0FB54FCE9AB1C61D920,SHA256=59A5B85F905A5BADAB49790496CBAF77E0860EC71746B8056A63AEC0FF9679FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:35.400{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D23C3B49B7B63AB623CEC06347641F7,SHA256=398401A8EAC173B3BDF4430507EFBDEBB4BCAA669681E8887CC785F87E766EFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.442{6F8252D3-CE47-616F-5902-000000000602}10002992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.208{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:35.209{6F8252D3-CE47-616F-5902-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.925{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.926{6F8252D3-CE48-616F-5A02-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:36.754{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5EDAA290A0F911ABE3FC28A75F67B2,SHA256=88FF3A2A9BE271412CE6AB1B6823324783CB9D88455C5C8B791D06C2A34BBB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:36.419{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135C40982BCEBC031FC3E8D71D7660A9,SHA256=07E0FB282E3814520077ADA109499DAEBF59A4C3A882B2959F7880407525E5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:34.671{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50509-false10.0.1.12-8000- 10341000x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.941{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.942{6F8252D3-CE49-616F-5C02-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:37.419{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E489E60631C15C713C40EEC957529826,SHA256=D4179DD2C9660CB2E0B96C0EA44EF97BA138AE07FE81D46CF7FA74EE6F87E208,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.754{6F8252D3-CE49-616F-5B02-000000000602}11683024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.425{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.426{6F8252D3-CE49-616F-5B02-000000000602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:37.160{6F8252D3-CE48-616F-5A02-000000000602}37841556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:38.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7F28C31CABB680093989C945FB8CB9,SHA256=A256BE621B265A5AD7B9840E8D50F9AECB95142945E4A48995ECFE5BB0C2B465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98295537066EB346182B41D9BA309186,SHA256=73C38F4B432C29CAD763CAA55C4199BAE5C1F871E66531E19F5ECFFB413C66F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8082889414DF4280EA9D8CED92EDE29F,SHA256=11091671BBF8E7B6BE074718A9AF1B2F2DA3EA8C4B8257822B000D103CFA2DC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:38.160{6F8252D3-CE49-616F-5C02-000000000602}28483652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:35.525{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55985-false10.0.1.12-8000- 23542300x8000000000000000102173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:39.466{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B415AAE147560146A6E7DA77B26786A2,SHA256=EEC203A688999B33D56681194B2A9F106C1FE4F91420046FECDEAE0C180D719B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.644{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.645{6F8252D3-CE4B-616F-5D02-000000000602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.175{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5A04B82A7C36492653C3F92AB2604,SHA256=48E3F378308B895E0ACB5D4F90D2DCEF54E703A6BBCF88BDCABB02434A0C0721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.175{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E408FB267434D6A006ED45F50C8F6B8,SHA256=7FE5C2DB9107514E2FA583B4DC1D322948427D118411C6027445562FFDC54B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:40.675{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B27EE74885E22D9521A6C7BA56D1C4,SHA256=47CA0D25E52F4FCF561FEF1730A877B59B19D61757D033BB2164A9B35DFA7D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:40.269{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4669AE8826AE9A2D56E0E3EC08A3E8,SHA256=A0FB42674CD74B05D619A22C3677DE0927EE0746076A45325E121C22D63B2124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:40.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20DC963443CDFBB7435CAC281906E9,SHA256=488A3420EF753C4AFFC8D46D0A1066259E75BFBE07378071F963FE6B9920E296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:41.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD2272CB67A3745C1B17CA9977CE48D,SHA256=EE642AFEBA67BA0E6E8EC833893F5D31228AF6BC55C61166BFAA4F3FC22F25A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:39.810{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50510-false10.0.1.12-8000- 23542300x800000000000000083553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:41.363{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF62C59A58B3F4FB0BDF09EA72418490,SHA256=8E58A0B1D91288EE079F33DB5F30A32B0A506742350A84485B770D7B8F582B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:42.379{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEA466715E1422BF146BBFB24517C43,SHA256=7AE69D6D241179DD737041B121781E9859172B9697B73A60DA4666861A631FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:42.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CCA1BA1A6C11883F7DAFE5977E847E,SHA256=1A6899586274E42ECDE0917B0590282C644E3B59F9822C3B6F25ED1EACD38C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:43.394{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303DD25E2CC17FFCFAC7254EE3DD3DE6,SHA256=6364F4EF6AFBE66F88FC4C3989CEED08342D39025CC1D23225B3378AD80ACF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:43.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C959AABDD2AC6C4D3771296A3D938C93,SHA256=FA47F6DAC3E725426BEB1E45334E3CA685D8F72BF29148707C7B54DB39F4B00A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:40.713{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55986-false10.0.1.12-8000- 23542300x800000000000000083557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:44.425{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B13FCFA939268ECC736CE0A6079CA9F,SHA256=728C85A93220D8BC98696A809221E1DE79AB11462121E07523F30CF27E7A298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:44.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0EB4E6238C47BF092952D2F92D3B04,SHA256=3A39AB7168204B2E8DC60D33EE3517191DCF7092C9BD896638A15D6F8B417251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:45.519{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422E29F23DC0F0FF16B46A2B705BB0A9,SHA256=83D002A3412B1365C59703DEF86033126B592469E4E57B94766221FB0180F592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:45.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A900A9B916854F143B769BE7DB7E0,SHA256=6963BFE64B8411B5D43717D10D0816E3AABD02207DA01865EDCE705BD47CC53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:46.628{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017C29EB33F549DABB821BC14798246,SHA256=8653DCD5AEDFC53F2B7CBD2C07FA73A6FDEEAF8B66122497B722DFAD7F801A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:46.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BDA51AE290C14E882F0A3F727AED3F,SHA256=13DCB5231AFB3EB8B3487415AD75D63F60A7E993AFE16CD1C987667384C97135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:47.644{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E97BB8B3613BF62EDE416A30E2C39B9,SHA256=75418CF9700F0478D448948DCF88512B290B16E1D2403452B459E528AEE7A03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:47.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F8B990821EC452C4CBAE92A5CDE912,SHA256=1F7487759E8E8FE8FE67D3A572CB6AF358A3404ED36B9A5805DC28F3C08265C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:48.660{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A647E868751748221848E078619CF17D,SHA256=F2AADC1766033AA7810B965A28784B5867F31C9E41728C5C1282614531D204D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:48.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4176B871DE7A646E989C31C24469A3D9,SHA256=4D926E54A4E5AB66124F690E904BA62BCBD00A81850823A53DB434042792E8FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:45.638{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50511-false10.0.1.12-8000- 23542300x800000000000000083563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:49.816{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8609D7805A8AB15FE7825D52FEE56089,SHA256=D8E315E444636DE0E671B19B005F7F48E0664B12486996912A44A38F41BF38BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.794{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.795{8D4DD44E-CE55-616F-8702-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:49.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0165AA5BC51260AE0CEE610000F1C3,SHA256=C10D4A65AD8C4A8B079F9F7818723CC6E59141A282189D7BB90F7407863F5C5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:46.603{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55987-false10.0.1.12-8000- 23542300x800000000000000083564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:50.956{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6FC1A380B1F554FE1DF17F49774DE0,SHA256=20845250B4F286B28FD5B6C8FCFA53EB36C09631AFB79FD26DD3DB25D716FD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B69BE4D8E31A9E73FBAA6204C003D0E,SHA256=4FBA27469B112BAF7F355FD8C1D54D19702A68736C12B3F8C5DA20BA715AE4D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.966{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.967{8D4DD44E-CE56-616F-8902-000000000502}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.294{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.295{8D4DD44E-CE56-616F-8802-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.013{8D4DD44E-CE55-616F-8702-000000000502}46642172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:51.972{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1348D85EB6AB5AA56E03B93923BC9BAE,SHA256=9FFC297CFB57F991C9D055DC70C32923B279CB7C7E04558FBB1CF28C4A33A106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.982{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E9C990E01C3ED134F6F4CFA29C9EC8,SHA256=5C13652D6CFEC70FF25DFDA79A0A9B04D0DA42B23743804AC1D7FAD2C59AE289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.966{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D2FA54E42B5A6951369E032E02CBCA,SHA256=C21DB86582254825F2284697A9F211C4C9E623568083E1B4C5908025F5867385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D2FA54E42B5A6951369E032E02CBCA,SHA256=C21DB86582254825F2284697A9F211C4C9E623568083E1B4C5908025F5867385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539E8D49D0B95254F9C33A14ABB9F54B,SHA256=B0DDA5D64B2F3A9C7F99E49E1F9A6934D590570E37DC0767C9E9873A5A49DFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:52.988{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBE51F1370DA34B25E8C6964D6A563C,SHA256=784324C51FE1941739A54EB0C0AF3B6A30D3541E544CB7C1E5B820DF0FDF6C29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.982{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:52.983{8D4DD44E-CE58-616F-8A02-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.416{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55988-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:50.416{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55988-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000083567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:50.685{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50512-false10.0.1.12-8000- 10341000x8000000000000000102261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.825{8D4DD44E-CE59-616F-8B02-000000000502}1552332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.654{8D4DD44E-CE59-616F-8B02-000000000502}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.169{8D4DD44E-CE58-616F-8A02-000000000502}19325028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:53.014{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5387DB01E17AF4031B86B23A5E86C78,SHA256=E76A79985F748A90FF83A6242A772B15D2293B02985AE794E8F089F6BCB09934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:51.697{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55989-false10.0.1.12-8000- 10341000x8000000000000000102277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.466{8D4DD44E-CE5A-616F-8C02-000000000502}26604740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.326{8D4DD44E-CE5A-616F-8C02-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=410BF2B034A9C5DAB9FB8B05A7E3FB18,SHA256=B21D1534F6781665EC9DBF3C7E65EF06BCBD1DA7AB542ABBFD1C0FCF663E9D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:54.044{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6663EA88575027D6B72717F152476A5B,SHA256=81305189BB3B5D79DF0A581697C9E0F58EBBEAFC37BB34AA5DE7CFFD22C931A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:54.003{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58EC3A3CF7964D42D736E8127D567EF,SHA256=C48ED2F8822984E6B219A73B0399B10B33702105264760EE838D27FB308177BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:55.019{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA197FD4F4304997C3F8E282B10119B2,SHA256=C7E902B15C0A45F8A04F140B1B8F9FD3F38BFEEE46A393305DEAD9A6B9A7F09A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.560{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.561{8D4DD44E-CE5B-616F-8D02-000000000502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0542AD7128CBD608F36DFA52CB67CD7,SHA256=238373E36C8A2691DFE907617593653F6CF0B6C94C348EB588285A9270A1790E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:55.107{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E52E718E4998FD331FE1D334320796,SHA256=B67D5058D2722B8AC525CFB917775724AB10560D0D7CECEAF0FB58813FF7F24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:56.024{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3856AC24DAAD845159586F95BCD4D82,SHA256=F38BC2D3D6639AF98DBA9EC61BD60FCF167C73F524F89820C094B907A93470DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:56.799{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C208D75DD9647E30DE720DAEA1731D6,SHA256=08FE9C29E1C6824D6D01FD2788C830A7162E447A0D6CBBF61360FCF2D049855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:56.158{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D7C6D62A1E6CA46A820EC0D7627A2E,SHA256=5621EA99CBAC2B030838AA8D3EA6E4FB39D48FA2EA1EAC3E8EC43137CA4CE5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:57.040{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1EAE82A62A00609947ACB01D7FACD,SHA256=5086C29BC943094BDCF0FCFD735FA89EBE8DDAF7CDE029618A16F007E79C3713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:57.174{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE97949430A9A9A610D6E4907A29B5,SHA256=A1EEF709550A4049B71DA142CAFA7ACB3DA193EC33174BEF2DB59803911BB48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:58.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5868DFD5A23130EF8E7472D900DF6B1,SHA256=A9BAE50DD24E38292510B2B14758F4C5D45DEE2D5E44D2588B63BDAAAD495916,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:55.721{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50513-false10.0.1.12-8000- 23542300x800000000000000083572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:58.055{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BA2A09AD1D056EDA39EC6FADB5AC76,SHA256=C348E2E769A508043B8C8B00A173A838578311B430C8C88CBC256D6D112DC432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:57.531{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55990-false10.0.1.12-8000- 23542300x8000000000000000102298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:07:59.346{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295414E12DD116DC285DD7C48B6D797D,SHA256=49D641EAC2CBF0A76E66EB97C8CD5BBEA5EAD5508AC518453DBCADD2DB90C90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:59.949{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-062MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:07:59.071{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EC13511F6C499EB40E3355A708D103,SHA256=D8EFD27F204C2799ABB7C40E2A95B4552194C85647A6C118B5A42BEC785C2E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:00.964{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:00.072{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59974489F116C58082CD0FAFCE4300CA,SHA256=D690BD292CF29E6251DDBCF6500CDF297D8AC872CA48067926AAC5AE7658FDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:00.393{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9316462B422A12141FBCB453A0E93E44,SHA256=FB823FD95D1D7AC1F8C64766E27245312CAC945BB2B714D4FA84FE0E19E7472E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:01.086{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158C69001AA1A4F5ED4C68B485BF32D,SHA256=FBC551CD75F9B7CCB2687E4840A0EDC3CFA9445BC6F44F58DBE1C97983DC58DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:01.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DD54C660C51EBE675867E24CAB6A78,SHA256=3B3889B47D6C83BC28BB723E469C3E4A9566AF5B3A0334970EC8A0B104755296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:02.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950009B2DE2E6F439BB3239B5C097B8C,SHA256=A8653292470780646E9700C4F81E9726BF1F9FAF203CED3F062C7B4E6FA9C3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:02.089{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F561B2B6B5CFC90DD77DD44CD15209,SHA256=4E42B0214F7F830CFA65E0200F762524757C3555D1BFA8E5D0C3666212C63D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:03.471{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24385DDDFC4634454F0AC2C500364B52,SHA256=66F45040053D2941C4918FF12F6EEBAF362A5E40D2FD4FF29D65829F0EAA7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:03.104{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8092FDA4A103DC3D1BC74C6F5503064,SHA256=F9A50C2869BEE125704F9746F24908C3E60A26488A174F5D1800BBD2A60850B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:01.676{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50514-false10.0.1.12-8000- 23542300x800000000000000083581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:04.120{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB3877A93379B03A41121621DE7E98B,SHA256=B3BB220F040F50E29B8BC864BC097CFC2B8B9DFF958E32232D97DD8E4BBBFBF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:02.656{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55991-false10.0.1.12-8000- 23542300x8000000000000000102304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:04.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008861B32F647E37006BBAD8FC9F4323,SHA256=43FBF96541F80C0CDBFB42D117416829255870CD60C59FE8049A8D055414E3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:05.136{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE15CD2A628FBA6391C4B44AF2B1A73,SHA256=2D7B97DF3A908E65CF66359F12780FB3147DAA76A4CBF625B6122B4EB8C76B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:05.502{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034FED3B20B1F7874FCABCB8031D5983,SHA256=556E8A37E45DBE3B2F84EE41166C546D6EA0A85474E9096CA96E70DFE2AB7F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:06.518{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825202F7730F67D3BA306E5EF95F786C,SHA256=5A82192FBABEA89751BD58BC92A96BC53D46D3AE8DA36D7A89406EF915AC56B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:06.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67519A53AF11615A3374EC590C3D76E,SHA256=91D5D3D70823E6E17AB7CF6E8414DEBDE3593D558E700A25B2A4990A08976EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:07.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86477C39E75EF71202F327CECAD3368F,SHA256=90E247122134CC330501A0A3C32D2782B98DF91A68607AD39DE3723721B39AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:07.167{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3191AF859BAA2731A42EBC4EEB700B5F,SHA256=167EBA6CDC2A4FA9E9D0E2751B7D441FA0A76121D1550890708056352980AD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:08.182{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC300DAE80D154A0C0101AA85EA8FAF,SHA256=BEF858911814B46120178B860F7555004FAD9AAA2A7D07589A3788EE6E1E01A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40451548950A4A25CBAE648F0493562E,SHA256=A8995D68AF3EEDB2EA57CD9B214676BDEF480E3A3EE6A143AC768DCB2B3E0801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.510{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.198{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04031BE41FFB1B892C6345C7C614A3B3,SHA256=D8541CCAF96EABC48856FB4D2AAAB5D044C82F1910BE73C294F3ADC59C558067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:09.534{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA950C838F7CB287210A1998979E19DC,SHA256=1C428E4E5DA9F08F4685A03F954D2C16A3830E047CEF4BF89C0CBC3A9EDA0D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:10.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428A512A39B1F82F8C0093956756031A,SHA256=F0196DBFDBA7C2FD2773FAA0B88AF12EAB87B5754EB1063A08A2EE89D601E1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:10.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2D4C3611983F2EBE1B78F9C555534F,SHA256=633C6DD66B3CA46F25D107FCE45728C67A0CEF287C28DA6283B3A1C819B0FE4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:07.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50515-false10.0.1.12-8000- 354300x8000000000000000102313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.515{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55992-false10.0.1.12-8000- 354300x8000000000000000102312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.144{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-185.attackrange.local138netbios-dgm 354300x8000000000000000102311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:08.144{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000102315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:11.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B822987ED38C3D3D4F8EAB88AABC5D1,SHA256=AA105A47B6341B4C8E8F53DE6EBD19287B08455EE22D14125E95C928305AE1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:11.229{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDE6207F25D596FED3B1EEDB4BB24BC,SHA256=521ADAD74590A5C8FDC672ABD8B4813DF7740F0CFE5E94C727B73C93E47EC6E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:09.051{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50516-false10.0.1.12-8089- 23542300x800000000000000083593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:12.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C311041D95F16610F4F5655865D09760,SHA256=1A76C0759EE70842E484F3F9D959598D802F1CBEB9446F8BCF63BAAC752B4D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:12.549{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4860F5058439EC016EF7DAD7EB2FCF53,SHA256=474D6B3F78AC7DEAC244E014AE8B9CA5DC156F48DFDA496A0A5FF21B5B13BCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:13.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BB53BEC2922BE737954A93474F162A,SHA256=E960E9C30D8B7DA175B64C24D814117D71855611EBFCDFB91CE90D8FE95C1F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:13.565{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802BFA2AB9A3D397DE25B54913FD028,SHA256=10393282964BB5320484D599D7FDF473AC9128C259626205AEAE8B55471534EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.582{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6A3483FB28860EDAF99A585D2AA5A7,SHA256=A261ECB3AB875FCE48689A0AD4AA6C43A808253F3C0AF7E87A74EBCE537696B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:14.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE1737095C1968F183995A3DC2D20B,SHA256=A9F03CE9459EF35D3A58603E5F28DBA97FFF10476847F6EA81310625ED210D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.507{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-062MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:15.595{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCAF0146FAFC8BE2CD8FCCF6DEEC263,SHA256=D57D08FCA5CF8F0AF8DACB5D0799403A8DF230B080A65B3B9CCEA41BE767D466,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:15.595{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c589-0xa25db7ac) 23542300x800000000000000083596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:15.276{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5863550AA33B77CC3407D361B286AB,SHA256=24CB08D3BECC68BF394C0DECDA66D88BE370D2AEE5A0F658C3CFAD2E93CFDB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:15.505{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:13.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50517-false10.0.1.12-8000- 23542300x800000000000000083597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:16.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1C1D26BC37086F03B52EAFDA99FDEC,SHA256=6014D37C59FA6116579FDCA96B84E63EF81169909D5DA6E15E2D02AAB4AAFFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:14.486{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55993-false10.0.1.12-8000- 23542300x8000000000000000102323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:16.595{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D36ADA3931E5E9B6141609E42173779,SHA256=EA2FF400CDD1648BAF2C26B6E26CFC907127F3C05EFB48CD8AB019ECC77550C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:17.302{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386D60406165E548BB9E3A9A75E3B9A7,SHA256=22C6BA7B17EC0C845E7730457B3CB0FE20C0E4E3F48912A1B07F655C7FFD29A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:17.596{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF48A7080A3BB56A1BF9EC0037DB8C1,SHA256=5BD5AEBFDFDF4E7741AD8DBA3C5DF7213B744C6F2ECC263243C48E151C7EF116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:18.627{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C65B9D320BA911D2F08C2C75B0D84BD,SHA256=36341D2805D17954220BA39C6EDD76E62CD1E0F01A245B84BE0056C9D4DF1F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:18.318{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA72EDF87A0584597965E0FCC777269A,SHA256=9A88DE07C68A1479E9AB42D51FCE281772356405A2B274A101151F396DCE337F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:19.736{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11D2D172EE21749B010890B9CD18E2D,SHA256=B1F4A3770884699304144EA868D135AE7B9D6A661DC97DFD97DCC8689EFBDD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:19.333{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05650893CCFF60A68B12D938C9593B0,SHA256=59A2B6AD7611FA07B1983493BA3AA2BC506257269D624E8864772A3311B7E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:20.783{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58D847276795003FE92182693968F21,SHA256=BE0674E7089BBB0E86599A29C72E52A87699D558470FCEF22CE6B45715315BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:20.349{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296A19C5865210613584F86AA7FDB1DF,SHA256=4EAB68415661AA5BCF0F37608A3E3AFB0E4E6C9FFDD2602E13860CDF4AB19A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:19.671{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50518-false10.0.1.12-8000- 23542300x800000000000000083603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:21.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90217759CD8C556B4F9E120F3D08668,SHA256=413FC7E7CE5E0349EC2D84AA82DC41A71AD77CC6F011D09D86730437A7AB0112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:21.799{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF4EAADB4181B4C0FCB7F62D40E8104,SHA256=D23B886A05AED15481F8BF97A5497CD5E31C1B3C47D7002469CBCEC17B4BC09A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:19.609{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55994-false10.0.1.12-8000- 23542300x8000000000000000102330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:22.814{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB737B648774CBE88796F833924857C,SHA256=7EF3283C88084097E4504082074BDB267C37920424113B3FCCED1A3FD7D66B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:22.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86CBA975BA5642F08E784CC27D22FDF,SHA256=0C8F2D3F3A8AB8266DC0910DCBF6CA44E689C27E99C2BFD2B571040BBDDBB78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:23.845{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27367ABA0277EB2A81DB9AD46030CAA,SHA256=EE6BD08ECC2CFE5173311C0EFAD411B2969024E4BC58E011A8691D5043986538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:23.380{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EB3B5DDBD61DB3CBC0FDA974A86431,SHA256=D9985041D09FD3E85F33C5C1D1F531170BE38A9079F33442F0EE8783E9DBCE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:23.067{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FE0602D19E954A218AFB6C3298940DC3,SHA256=4E122A3A47EB4AA8ED7E945E97E78D790CF9494B60D96F0DB82DC6E00440EA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:24.846{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1B7D8D1D577B2CA2CD056B61EC4AC7,SHA256=41EBE274194D77B128F5C7BDD4CAF68725A64120088C912368FE8B51A834F836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:24.395{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD654091E322AD717BD608F58D21A2E3,SHA256=E16442739A1271799432362739685B3C1B6F1EA2C4B04CE63B03578F6EB304E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.861{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862AF87679FF3D64C608DBA9B02662F3,SHA256=1EF6DF9778B09688B10BD25A5E4C765BE729992F2AAE7B958DC15E1106388CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:25.397{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3B13C4B4A63C2C6351EAF0AF6203B7,SHA256=8014644C17AAC074589507D427D85A6723893D6C07DECB5C8230C1673EA2A5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.127{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.111{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACEAB1F6AFBE67ADD1CD161FFE796E5B,SHA256=78351E825EC1D5A0CE9006DCDC208372A74765AA65E45D74AA93B23A9AC73892,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000083618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c2b80) 13241300x800000000000000083616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x45cc8f17) 13241300x800000000000000083615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa790f717) 13241300x800000000000000083614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x09555f17) 13241300x800000000000000083613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c2b80) 13241300x800000000000000083611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x45cc8f17) 13241300x800000000000000083610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa790f717) 13241300x800000000000000083609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:08:25.020{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x09555f17) 23542300x8000000000000000102348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:26.908{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74BCDCF7B4A493336F971B243EC6105,SHA256=02080A414420459BCE244460A5561089CCA3518BB4998CDE6981698CE729E5FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:24.593{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55995-false10.0.1.12-8089- 23542300x800000000000000083620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:26.412{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C127AA044DFB1E6174A5C392AF2322F,SHA256=F388CB31D21DB5C39CB08ACC28F9D5890CA14E19CCB5634A14424F6619B91194,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c43ac) 13241300x8000000000000000102344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x46a3f653) 13241300x8000000000000000102343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa8685e53) 13241300x8000000000000000102342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x0a2cc653) 13241300x8000000000000000102341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c43ac) 13241300x8000000000000000102339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0x46a3f653) 13241300x8000000000000000102338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c589-0xa8685e53) 13241300x8000000000000000102337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:26.283{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0x0a2cc653) 23542300x8000000000000000102350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:27.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E3441E8888CAC907910BDB44D79F5A,SHA256=993B897AECB5C9590A4172E46EA0BBC49EFE311A0D5B2FC9DD3BB763BDB68FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:27.428{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820190C255961D6FC715ADD4052D6CCC,SHA256=4CC6D9F9280DAA5A2B3B1731E783145E564534C6881F86EDDE68873C5695FDD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:25.562{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55996-false10.0.1.12-8000- 23542300x8000000000000000102351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:28.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899978FB6621C734C323087641FD6FBF,SHA256=E4EB93766C7ADF6F009539484937C07DAB04E77CFDD318B7555D7CCB516CE306,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:25.656{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50519-false10.0.1.12-8000- 23542300x800000000000000083622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:28.444{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3322D807D5516DF510865FC914BFD885,SHA256=F7A7F26E8787B1D74B975D4E1CB04A3C15C5D46AF0C258CD833D43445E6D5710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:29.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6F72F5B573FEDB1F8D2E8E07517F7B,SHA256=96A12DE115AA294E798F6D4359B954CE8DE8C80B9DEBB18D1DB20A971EF4C4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:29.459{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F405DAA911C21E2CCE7EF71A2A4EA930,SHA256=BE67B83A1A973785F462E4A1681202E100A36B99086EAC6A5AD4EFF218B28871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:30.955{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AB6AB86F1F2A117AA8FF8F1F2736B5,SHA256=76AE08D6FCED7D6AA468986F77D4EDCC198ED11E01F0965489A9A5E9329BF46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:30.475{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6D545A56FB33FD39C290BED54FAD38,SHA256=6B311A7787C9B6DEE7AC2BC8E209ECF1054933E4E3C29220FD9C07376E5F2CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:31.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABAE1AA8EFFDC3118C0D60ECD4C0B56,SHA256=446E892CF8EED009C863C4BBD2B7CA2D99B5F198F3DDEFC874A45BD07CB6F87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:32.506{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30B4ABAB747FE5D6D2CD39897045FD4,SHA256=55786275D124795A52168DF72CDE05D269DD0836E1CBB8927BDB973633205FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:32.142{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38499B2BC79CDFF025F4B5C3F48EA60F,SHA256=98134B0D3B5C9821DA8438260C6A655FDF2EE659BB9931B494E5CE701C5B726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.522{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0906C107DA5EE4DE37989B8833B32054,SHA256=6D07A12A92FDB3D31235B289739F680A8A9A0F6FDF29A7A871B9CC67E6E6F8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:33.252{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F2E6B2807D22323F591535A578EDC5,SHA256=02E280DC2A01CA72245B78A72CCD4896AF7E21D3FFB3F3E6420F4802D08F83D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:31.625{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50520-false10.0.1.12-8000- 10341000x800000000000000083640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.365{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:33.366{6F8252D3-CE81-616F-5E02-000000000602}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:30.672{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55997-false10.0.1.12-8000- 10341000x800000000000000083658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.725{6F8252D3-CE82-616F-5F02-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.600{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D32BCF6A0916937F6FE61824A018BCF,SHA256=981A850C28B98C853176AA46DF5D1BC5A4120C3668027E01285E93792E4E3B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:34.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88E011A9F008C691D9A4A81355B1B0C,SHA256=079B706E414784B1C2CB35939E7608F728E2DBD3FE21F918B9442D124E785250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399E75FB303E09823DCE6B3F01B560A8,SHA256=7E9A24B6E10A67CF1291D0B22FBD8C85834EF1FC38D67FB5B8B5A586850ECE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:34.490{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED887438C2C8081D3990EBD9F20EAA0,SHA256=BC9F9147E5BE87912C686EA571D1555E5B7D3019C83C2084F32EE3BCD09A24FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:35.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309D13034D4BB66CBE9134B5EA027D91,SHA256=EB5003AB866B998322AB539A8BD5EAD9FD7AA42AE154D6CDD93C74BC407F6632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.225{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.226{6F8252D3-CE83-616F-6002-000000000602}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:35.006{6F8252D3-CE82-616F-5F02-000000000602}37481312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:36.332{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5215A21767C358E255ECA69CCE913E3,SHA256=89B1367DCBFF3B962D2A17EAC135292272139499F6F5D6519C547E6C04353E27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.948{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.949{6F8252D3-CE84-616F-6102-000000000602}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399E75FB303E09823DCE6B3F01B560A8,SHA256=7E9A24B6E10A67CF1291D0B22FBD8C85834EF1FC38D67FB5B8B5A586850ECE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.151{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7FA7DFA42DB4DA5EFEA63DC4744A7F,SHA256=66F87E952B2DEA40426E6815E9AB383F8690CF425B6BCF73040C2B0EC1528F13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.745{6F8252D3-CE85-616F-6202-000000000602}7241144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.495{6F8252D3-CE85-616F-6202-000000000602}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.245{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B5911BD5CD283D4FADA1794216C8B,SHA256=1B817FDB54CC15589F885B8B1104A5A4DBC9BD1534AA1A8EA918C30BE84716E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:37.348{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7FA12CB7AB0FE2CD53D6B79060CA36,SHA256=647E7087647315E5AE4EB31D1019F45F3DD663C1657BFE9A6DFE1BF4B1D21937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:37.120{6F8252D3-CE84-616F-6102-000000000602}2932912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:38.348{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A76D92C5EF16251F332236C8B6B93B,SHA256=98CCFB7F1A6F00589B738DABB653FE1A070A7DA88A059E59461632C208DAFA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92BD4E75EEFA8D8FB1FF2B061E9C7A7,SHA256=328C5628989A229B201F988F692597B212040169A5FCA3C81D60E78523A38D13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.327{6F8252D3-CE86-616F-6302-000000000602}10322940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.167{6F8252D3-CE86-616F-6302-000000000602}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:38.042{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=759F0CED3BC28C3F516A94141134A303,SHA256=FF0EC3BA93052BB499F72084B70BADE6E7E81D7187D18BD2DE0337AF5DF12A62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.604{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.605{6F8252D3-CE87-616F-6402-000000000602}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.479{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296E41294303D483B6B1504157473A00,SHA256=8011320B3E4B9532431A05E7E726B808C3615FD2CD2C20AA5E42CC295013E77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:39.566{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9570B7ED768ED027B58BE91715A4160,SHA256=9E6D4F0F41B8BD4BC4710602740B7A600999634239D6138254685D9C4A765E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:36.596{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55998-false10.0.1.12-8000- 23542300x800000000000000083721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:39.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE55DB4C851223AF83CE3AA18711BF1,SHA256=43AFEAB8F95A4965A6912CAB422BCAC4DF743EECAE7B211401F5E541BD98CFB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:36.786{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50521-false10.0.1.12-8000- 23542300x800000000000000083737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:40.620{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B07ADA8E12A0519BAB8BB5FC8719F7,SHA256=60D9F14B29565FA7BB56BB6ED9AAF1D5A2D463601070FD41DAE90384F732D673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:40.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B81A1ACD97D95179528F7C3C878BAB,SHA256=11B76D44457F6994D65EA2A172AD502F8D38F0BED9F1F4100035E733AD9F2095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:40.583{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD83305A043EEAC898910DBA183DC05D,SHA256=C99222A6864D19C5AAF3668E59345CAB8E7175AB0B101DB2FB781F17A28147F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:41.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BF6F727A9F53A63FA98483BDECB0B3,SHA256=978DE52874105B9AF43A77217BBBD0A905172A365144EF0F96A9F9E83F7E6CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:41.584{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECB34BD8A3484BB78BEE1C7742684B2,SHA256=2EF6EB9E105D93891673420634E7E50149E02AC40FD3B879BA7BE85838573BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:42.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C62F691520A1145A6C4052D47D3B5B,SHA256=7CABC09A8C333A34475704F0023166B1AD6F8EF0C8EDCACD54F44E2DD2EA5328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:42.510{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59FD1257E8257CA8E542612E1048924,SHA256=5B218F4C7E3C8C71943C8017E88E8263F429719EC45E3B56C1361B1EA2948884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:43.526{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C4A0D3E8DF8198371A748C4BA20AFF,SHA256=658F5A0F25730282F74683A958960FC11956D9796D547871AA3C0A9DFC2EE107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:43.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F3CB7A578D09AF238447FBE31EF5BF,SHA256=15ADA5081C68E3E96DBF7D7C97B9712C5636B98E4E8B53304D6BFE41271E0C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:44.541{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A8FCC5080176C39D2D82FCB07C3E8F,SHA256=3FED87ABF3E76D35CD0D5CA17317CA9DF2C34759723AFC52AF0B66AF11262B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:44.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C586C6B0FAB3CB7A1E5F4FE98643A97,SHA256=4B702878E45F02E7A12B7EDC959963B9C55B9B6D6C3C7F1B76A224257631FFBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:42.723{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50522-false10.0.1.12-8000- 354300x8000000000000000102368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:42.550{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local55999-false10.0.1.12-8000- 23542300x800000000000000083743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:45.557{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36F5343F1B57D68354BCFFCACCDDAC2,SHA256=CE856076D8DD54758FFA281BEEBCC31EAD00E6DAD61904A8773F2F491826EE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:45.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0EE67DE951BB8A9AA31EC3A53B13EF,SHA256=0FD85E6CEDAC2FE4596A8164237B48F6E300ABC2CF889E99660342882B0E8BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:46.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08315691B3ABD2F2C0C7B81B0A6D12C4,SHA256=C2E9C02093118C893CA9E2747C9B91B85CEFECD2B583CFC2950A825DFC43C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:46.573{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B8C4F1B0221114A471DDC2E43E3EFC,SHA256=3DAF989AAEA77AB4F9FE3CAF9133CE68D3606128A3E0A6D7A8EB2C08AD333AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:47.588{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261B6BF952B825E440008C2277A241D6,SHA256=D47947E48547D240A3B620CBF0ED86B04699DAED08084B739C5301BCC6D1CA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:47.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DDE114C00FD476A2B2A94201375B7,SHA256=FFE172252E8994F31164E649FE40D103D0702CD797DC2AF7EDDD6D7B64BDCB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:48.604{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB5CA7BCE57BB9AE3704EBB780C9482,SHA256=96B8F42BE962F88F8BCC8C662C262C334E4BF8213BE4B1CAB0270B8678C9C6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:48.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A501FB3DDE96A3EB020D4DEABB02C39,SHA256=F83F57FC758F60D08CB18434082EFE879F4705201A5853E759154F76FCA58BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:49.729{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEE3EA3B8C4BC4F0A7DF9EA940BAF25,SHA256=10DB0D1A575088AE08CB611FC7A381C0713AF9FC94B041CCBE8F2A43D30E73DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.802{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.803{8D4DD44E-CE91-616F-8E02-000000000502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:49.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E2C90347E0273F0EAC94487936933,SHA256=F8939018E542141940E9B33E52E45901B9B3D8F2928427A259D5D9EFFDAC7C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:50.744{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008CE9C82A7530123633E9754F7EB761,SHA256=DF0635057D21D450923879BCE6397DC12FE705F9DC760A2B1782CBF0EF3C8D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.974{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.975{8D4DD44E-CE92-616F-9002-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:47.707{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56000-false10.0.1.12-8000- 10341000x8000000000000000102401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.302{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.303{8D4DD44E-CE92-616F-8F02-000000000502}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.021{8D4DD44E-CE91-616F-8E02-000000000502}46844852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C5BCE7FF4B843433103846BCA2949F,SHA256=0A10CB6F223014207EF2BE1A2E18055B775BAB4D7EEA04A451D530C82A417B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.880{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211066CA9CA0CA030B7EA1FF9D854022,SHA256=FC4AF0F5E7035E1AC9A8EB4E4E4D715780EC701C66BE78032157FDA445CAC90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:48.738{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50523-false10.0.1.12-8000- 23542300x800000000000000083749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:51.760{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1B80B46D4296A643955FD501A1E5F4,SHA256=22A2038CEB2ED5B42215DA6E029698F594934F0157EEA904FADB2B9D078492D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C5BCE7FF4B843433103846BCA2949F,SHA256=0A10CB6F223014207EF2BE1A2E18055B775BAB4D7EEA04A451D530C82A417B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E385D941C0495C98F4D4D7ED9892B7B,SHA256=77FC0054D233067E45372D74BC4BB5A48C914EDDD64817B9204779716D6F6336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:51.021{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2284468DEA81860A576BC1578942F9C5,SHA256=BDF0FB1757A0FC79FE290ED2920D9D9655D6CCD3B1E6932F483C6FCAC57C035D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.974{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.975{8D4DD44E-CE94-616F-9102-000000000502}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:52.943{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9207A9E99C34F6CD8D60F5345A260E85,SHA256=19DE16E597C81846A6710421182B7AAE2A24CE7A7AEE87134D65F841827AAE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:52.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DE8A35E4EBF8E5363D5F2A8BA22026,SHA256=AB88C3828D755402FAAE87D06A50C81962C98CF4DE9945D88AE13EFDDEDDB8B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.426{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56001-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:50.426{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56001-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000083752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:53.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2880D9EFA2DDB9C6D08ABA0D05270086,SHA256=6D69FE12E9DCFAE0B17BCE7EAAF44051FDBFFE918358E836D62AC0C425081357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.974{8D4DD44E-CE95-616F-9202-000000000502}47965008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E89050291105ED2374EF837C0C3F90,SHA256=E45324949ADF84D188726E6A46A862465FB445949102F880BCA8DB61C433A448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.646{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.647{8D4DD44E-CE95-616F-9202-000000000502}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.177{8D4DD44E-CE94-616F-9102-000000000502}50881924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:54.900{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB6D64749BF2BB4F330E45C5E875DCE,SHA256=EE818B3DFBD6274A33F514CA926725FB6783AF8887B30EBB93AE2C27B476D7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDCFEB2739904FB34E70F490BAC3A81,SHA256=8AB04B4C7B95290DED6A073ACFCABAEB375FABFB7FFA172DFDF395A7F20B4A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.443{8D4DD44E-CE96-616F-9302-000000000502}50922436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.443{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD73694E4B878E777C9AFC07A78AE5A0,SHA256=5BFF3FFCDBA34587FB6D14ED61508BE6254265B4B896B4AA3F7B5FF6371E142E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.146{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:54.147{8D4DD44E-CE96-616F-9302-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:55.936{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6A6972FC33F91B08F937CC2E2D9139,SHA256=93ECF86497C063A117EFF82962FB640C5BEE3C49998D202DCDBA60D62C439153,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:53.613{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56002-false10.0.1.12-8000- 10341000x8000000000000000102482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.553{8D4DD44E-CE97-616F-9402-000000000502}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:55.162{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC0BEC948B0B01F8165CAEEAC19EC5C,SHA256=69702AA27AF4053D112E45E81199A0B6C65BEA9197FF8DFE3C34611F1791D6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:56.951{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70AF9D535619AE96E06B04E6D3B13BD,SHA256=998CEED1AD3ABF6514C90DA8E7A9BBDEDA80A417BD6E8D3758AB53E2333C0685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:56.773{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9CBA7752795EECBCC78D1BB8F932280,SHA256=6F40AE11BD798AB1ED8E0C5A4B23508E0F31EB523F986D3A54B2EDBA0398CE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:56.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423C926B39C29CF6D0F1742196414819,SHA256=F13046ABE718F9F887BCA5ED912E60E0776AAB3E24AD2767830375E7E70243F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:54.723{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50524-false10.0.1.12-8000- 23542300x8000000000000000102486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:57.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A98524115908E01C2230B8A7DE3C9E,SHA256=F9BDB4B2D662462889BA3981FCFF6DFE16C293374A5B5F7E18D91B9F269E753C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:58.030{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080AEA1F1FF442059E07FC74CF284AD3,SHA256=F1378B8A05BF348F072F9AA860412B8E2C09CDB197AB745ACE3C42FBA773C997,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000102489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x8000000000000000102488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:08:58.976{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 23542300x8000000000000000102487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4774C3B3A487FE3F41BCF4DADCAC7A,SHA256=D20E79E2356BA680631292F66DABC04DE315FFE84230D1B4B14190ECF9DCBE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:08:59.264{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E0717E0DDE23DC7720E94A6965471D,SHA256=B35965DD2755876BC939EE9BF94B713AA257B2C6A10B2F807C9C30923A1837ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:59.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BB6B1268D552A2119C25BB6DF762AF,SHA256=48B2EA2AA93556D50D869DF2BB15F9C48C018B8264C77DDAE637666DFC63A33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:00.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364ECB73065B302B2E3662BFFC810D85,SHA256=3AFA38E1247CC5C798A04BCDA8B91C6051221C3C2C9ACD677092A05EB4D55129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.482{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56005-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.482{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56005-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.475{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.475{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56004-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.461{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x8000000000000000102494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:58.461{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56003-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x8000000000000000102493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:00.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1F7D6337B973490A98A0108E628670,SHA256=1B6EC46234F3386AB8F9EA684BCB571822FC69C174034431B0E6C7E07E3B1029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:00.008{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FADC340855B0353764841BC47CACB47,SHA256=1E850F8F78EECDA195DC2D82955308F45BF64A7AD051E065D416684C11721CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:01.486{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-063MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:01.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D7EBC8DFDEA28C009B19126BFC6ECB,SHA256=33B38D714767D577EBDE9245A515DB9C6FA4C3E8D13BDE57CC5C8067180360B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:01.070{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704D6B6349A92B3A59523F3EF45FFFE4,SHA256=A782CDAFCBBBC581DBECB73B88FA892397D30A51CCC76213FAFDDC9C4AFD2DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:02.485{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DAA2EAF0273958484BE05A14F21468,SHA256=CB6C01501E28A215239CD54D6224C120B1D81B4F95E0F7E10265E528EB580659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:02.484{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:02.149{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8929E96CE1B8DC64FA364EB588F92C,SHA256=A8EBB283AFED84CF50C83BFD630D76B6994AC930A56B9BC1092B0C15CF5239C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:03.656{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C512ECCBFD837E3A32E5E35C1728D555,SHA256=B32A6FD09816B54FCCC188D1E2020FCFF022C4F5F1F5992644B4C337CCE71103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:03.320{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18B0DA6FB9EEF2D3E3AFB1DB3E495A3,SHA256=E015FCE50159B0BFF39EF692A7DD9B641E714A2E6BE294CEC6A6CFAA80975D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:00.711{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50525-false10.0.1.12-8000- 354300x8000000000000000102502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:08:59.569{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56006-false10.0.1.12-8000- 23542300x800000000000000083766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:04.781{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BAA10520358156669CD597C7698BAB,SHA256=DA80B68E2F716D6F8195E6559C5FA5101F22C9A51584981E100AB24E6E892522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:04.336{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899D27D5B18D0B9350092767524FE4A0,SHA256=926C5ACC0B84410123711C8A21D1D0FD74A00C34C9AFAB1CFB601F958FE8E234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:05.812{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B1EA6A4E6021E90A630A811D70F023,SHA256=AA3927760F7BABF6ADCB9C20F63AEC3C36052DADB94485C9F55D8F703B4D0ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:05.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C15DC73E5FC29BF7F259A79B4C4F1D,SHA256=899C36CDC4980A8030320E6CF90B029B3AA1BF22C519EEF09E5EA64A341D3314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:06.813{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5F293DA04AD8C8AD248ACD422A13A,SHA256=2A3AE20A0908E6425DC08FCD50C4AA4503A3B2FA15AE3E4EACBCF6C159922AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:06.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EE1A478C352229E6B2F5D03FD42EFA,SHA256=F23BA7130CC47FE5AE25B40B70E7CD31B2DCB1FDC55C2E8DB01DF16109A91D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:07.828{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6C13BA17D3C90445E0447C31C85585,SHA256=62E73051A0088B635F7B6387CB94E4520AE8DD1D617ACA2F81287E0BF6107E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:07.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87CC6544C5ECB0880F0887E60B680DC,SHA256=6B2E0C47958FBD899D2F4741C6A93E8085DB4282D2326951BF361D3F8C7A4EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:08.843{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBBF87861C2A7516EE9BC002915A76C,SHA256=244FC371E68E4590414CACF85A16F3836F4562955C099DAF1FF3AD24EF7F6AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:08.351{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6400D5A6A8F8542BE435D0C7D92CF5E7,SHA256=F736DA0496D1DAC8CE4284DD6F14DAB3260B6261FCE99BCF3D7B54096EB7F08C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:05.600{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56007-false10.0.1.12-8000- 23542300x800000000000000083773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.843{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5A1374A51778F7B735EE96349C76F7,SHA256=3FEFF2227F00A8C5564A4317C6DFA3974D8A55C7F6F246304049719BC0972746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:09.398{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917258BDFF28406B03B192B6454A1ADF,SHA256=588C2F7E899A3F3BAB0F092E57B2F05505DE981E124D3E2350FAC36B09FB3560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.531{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:06.665{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50526-false10.0.1.12-8000- 23542300x800000000000000083774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:10.890{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B36C6CCF1CDE5914BF9A5E59015F1BB,SHA256=F4C710DDE1CBA66911B151F17B4725F724087E75D6AAF719BEE567E0D91B016E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:10.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A3BACDDB402644752F8C04E58E1D19,SHA256=8D90BB9029549EC46298B4F26EF01451975162503DF41A2F687D7D34AFE7BAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:11.539{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5AAC1D5E93BCFFB60DAC351ED28970,SHA256=5B47B604B2CD7D284A91FCB7AF877DA74E82E8016D4D1BA863C8B1C17EF6B044,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:09.072{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50527-false10.0.1.12-8089- 23542300x8000000000000000102513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32ECFF04B83581CBE4D56D6B764AAB,SHA256=8A265FD66EF29BBC2FBCA41B9AB7CEB4EC34D9FB33BE04E6ED9990514AB8313B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:12.031{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF29004C6F26540E4281FA7C7934173,SHA256=4BA57334D9F394D6412FC5C623241ADE42DB5B3BC094F6311D8A8C0314AF139C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.601{8D4DD44E-BF39-616F-0B00-000000000502}632756C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000102529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47FE4DBEE48595E41F7E03032CDBCC1,SHA256=12D5214FE366BB7C80C6390DD77D95ADAD920A4CB0AAD8F0D3B501EFE37A244A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:13.140{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0EBE4427D52186CFD50883E92FE0B5,SHA256=F80DF602C9A9B00D423134FB9246D2AA5180EDA44CD14DC849E4A20EE9AF9F9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.492{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.980{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56009-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000102538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.980{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56009-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x8000000000000000102537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:14.601{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAE1CE7D2C6C76DFE43F8A9E60050AF,SHA256=B35B30F5173EFADC18D435C596B068CE3333621742943B5966CBAA959EB03F8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:12.634{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50528-false10.0.1.12-8000- 23542300x800000000000000083778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:14.156{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BDB78C91C47ADC8AE880E8C7278876,SHA256=066183C8FDEDE5A4C55D5F724B2A9E200E0A9A9041AF0E5C33560B73B4C0CCA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:14.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08411E796281862385797BC7CE325C7,SHA256=9284DD05384E27496DC803BDB6A0F73BEF42E25F191A75FA0FE0BB7AC8AA9A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:14.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0223C4267FC0FA0F366A4FA2D3D80210,SHA256=EF158270D905BFF0AFAD43C36BBC4801C12FD5E81AF4B21577CF7E938A241FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:11.522{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56008-false10.0.1.12-8000- 23542300x8000000000000000102544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:15.601{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75B9F280084CCC01CFBB83762D26A1D,SHA256=75ECCC6D78707365F671CCB009CB8D3C7DB4FE731251AD190B4E1BE4C30A04E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:15.203{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687B5F72638D08B02945534C518B7DBB,SHA256=C782F7E1316D84FD7F92B1D2712E5C5E19AF531F1882EB3F41E5661B0825F5AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.094{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56011-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000102542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:13.094{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56011-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000102541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.988{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local56010-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000102540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:12.988{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56010-false10.0.1.14win-dc-185.attackrange.local389ldap 23542300x800000000000000083781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:16.233{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8339089BF8DB46C3F19926273678AED9,SHA256=8B6891BA5B1D930EEAB3A2AF6B129A413481FB13BF38A27750D10A37A76C7AAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.027{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-063MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:17.249{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888D4EC6F540BCE9865B40AA3483237C,SHA256=EE645560A2CB96A0177386A6EA9C9879AE41F9C36EF21FEAD3098583140C32A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:17.099{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE20C6534E4482BC80FE0F6C76C87DE8,SHA256=1C2987F2A1AB3ECBB47C56A952AF0D1E895C08B6E15C003061EDE2C3BF9D1274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:17.039{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:18.280{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050BF66C6509468D2614DAEFC912BFCE,SHA256=23CA1A1108C51D08353A1ECA6E6E8791D7818107F5D36EF779AA466335B403E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:16.614{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56012-false10.0.1.12-8000- 23542300x8000000000000000102577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:18.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A496EABD18633B1C38A3016D79FA86B5,SHA256=A1889544D8390603ACA6091EE6556C8CA03715A36B5C68959993EFC4DE001272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:19.358{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFA9916EE1CD612D4D7AE898CD1F4C1,SHA256=B2B8559609A05AAADD3FC38E8CDD833833B0916543F91D537C7A11E4B2B8A94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:19.039{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE1A52E54072C151962C22F00AE88AC,SHA256=726713A4B891F91A1A9F149C74EDF931D05660A1AA41C16BB8359889677CC0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:20.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CF3E9F97CE92F53BF81EED4BD608AA,SHA256=D6BAC613FD592AE7B11E6741B1136E39C419221C4043B2DD7F25DD601021120C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:20.274{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F77066773D3044926D8643FBEA192D,SHA256=254901F4A409CAC4CAC119387DBB6604BF6A6B9AD017CE6B55C613A19A153BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:17.821{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50529-false10.0.1.12-8000- 23542300x800000000000000083787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:21.514{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489DCDA32C9181A5713B67361086DCDA,SHA256=FF469AAB5374A62BDC0240A183DB75543BCA943C035EF9C4A3DBD202816DEC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:21.289{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0D1DBF08D01EF1A1BF5B4252163FB2,SHA256=598A173A37B1116E0F29C2BB4CEB74277FE14AF262B55D7EACE655B5811D3A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:22.546{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FFD1707FE750D48FD0DFF1E55DCA21,SHA256=5FD6837E4C1E67C4C7C56F94FCD70DA536D113B91E8A9039B0166BF28E186F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:22.414{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAFF4C5AAD44550188EC587C9EEEA8D,SHA256=6D0E33A934DEBE080B62C8625FA7B393A0CB441070C32166C0AAAD5B2AC4F3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:23.577{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4870ABABD6B060BCC933E3D9F45EF922,SHA256=7A8E2AA90252888EF745F5CA80C271683E888C8A48F352C544FB6381E4EF7AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:23.430{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FEE24C4736BC963205E7501E2EE3B9,SHA256=0054DD54887447886B5C6EF708A54AF453AA2CFFE3D0115F044397664CEF130F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:23.077{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B3C1D43F02B52BC5A97AF0ED7784E1EF,SHA256=8B910ACE5569B19FD9F4EFC892546E86C7015F7AD8A1F1679727D461B4381CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:24.702{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0993B1B342347F22864D3EB2D93050A9,SHA256=2DAA0C8D4533F573CC44F61F927CA9265F250EE021B3D5283A98E53BE74A9B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:21.617{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56013-false10.0.1.12-8000- 23542300x8000000000000000102584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:24.430{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F1DF77DCE039F813A09A9302F2C3C,SHA256=761926201466FAE72113CCB2AEECB1313C59DADF56CBF2707525C899EBAC0951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:25.733{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA03D8368AECF1234DC56988D1928F7,SHA256=3B5C6A549045AAF0B3CFB521B70A018FD96B39E9F8C7D3C2B5809DEFD5183CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14CDEDF2AC930D5FFB02FE1754E5CB3C,SHA256=23498F8E347937D737F39455062135876DE58DD7C6285244A4DC43B1B6DCE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.508{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08411E796281862385797BC7CE325C7,SHA256=9284DD05384E27496DC803BDB6A0F73BEF42E25F191A75FA0FE0BB7AC8AA9A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550BFAE857CF0FB3681EF8AF08943237,SHA256=B8A1B3892051DD116C40D5FF2FEFFC89E82FD40EFBD8868EC0FBA1E31813F132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.149{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:25.118{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=75771923CCE67DFA64A4DA44E2A7FFC0,SHA256=B93C657D78CFE798A65F2C356F8C48FD63D6360E6D100D6A590B3712E83F0FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:26.811{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DA8F97B045D9C76159AE3977D1DF3A,SHA256=85540E476B0A961632E39A13358C4DD4C9945FF201D05B38B975FD06B33B317B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:26.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B22A19AB15C3463C57475A3E95FC54B,SHA256=B6786361C328CA4E99C322510EB975BABFF14B05C79CD03D2B62F24816065AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:23.805{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50530-false10.0.1.12-8000- 23542300x800000000000000083795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:27.827{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37CFB4CD01D7D977D7232B207C773C4,SHA256=6495557F9490C624C848D5B89C9352F6D4829A31F3B7A810F9775FF1B5C7223F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:24.617{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56014-false10.0.1.12-8089- 23542300x8000000000000000102592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:27.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F31454437130E69FAF022377884AA7E,SHA256=374C678B042CE50811D4E44B1FCF859D48CE3A4CACF08958995FF21DCDA2ED87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:28.889{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DF0107116586CF1674F0486ABC795D,SHA256=6EA5156DE5F19BD3BE40E5A86383259977C9D219136425BB1D7871C32EBAA4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:28.680{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3802AE08A4F31A5370A221EC754158,SHA256=B6794B96BB033EAC48AD0FC29C336051DD28273E8EAF1CB49FCCD3AF15438382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:29.952{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C18F34A07316A01941D6C280F10C905,SHA256=67CE720F2F1C44431E1A8F370A6383103BC872F2C68A05265F203C5857339F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:29.743{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBA1E746A38E5E9D1FBE9DC7756CEE4,SHA256=0885BF5B1FAEA19A7A7EF95F4BB8D83D39F11C8DCEDEA59815D444E36CB5B77A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:27.523{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56015-false10.0.1.12-8000- 23542300x8000000000000000102597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:30.758{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448458798BFB729854A1A68C2BB5779F,SHA256=0ECB8917B49696389CBBE9848AE832E9534156C87471AF5A7D7A499F8DA26870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:31.758{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98D83A97D1AFE745D8BF2FA0E6F7C47,SHA256=FF8DFB1A53745733F347FF42FDD29A542D4DDBFF5374718DA1DAB30AB5E049BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:29.758{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50531-false10.0.1.12-8000- 23542300x800000000000000083798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:31.030{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94AF402DC56A5BF263EEC28DD3165CF,SHA256=9ED24369C53B9A827851C32C9942CEB75855E4E76BDCB38077200BE9F16FC4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:32.758{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DE7F48B5485E84B0637B93D9F2F249,SHA256=B5EF2614FED558D51D9F0C3B92BA20D33CA9DB8247A5F366FB30941E34B7BC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:32.045{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DBC813CF3D75E5BF0BA3F19802071A,SHA256=74EA8B027F877F24D354569FBC28D0D301EC589FF766CBFEC95AFAACAC2EB6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:33.774{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55C1F705C3D43896C452197C6272F1D,SHA256=A7B0A534633B58A67175CCD2D7B0551C282E2C400F59EA26806BB65C0A2FCE16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.389{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.390{6F8252D3-CEBD-616F-6502-000000000602}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:33.077{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F97F12E5D1CB1DF0D30860A3141908B,SHA256=031A996256E86FDE3BC42851895F30CAC4AEB4733CA28285F5DF53B0D5B9919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:34.774{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A60D2551FAB364754B37E01D79EC4B6,SHA256=11E4B5FE0EDC0713FACFE327EE93F08C70918D8B8A47DEE38E49B336DD54DD45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.749{6F8252D3-CEBE-616F-6602-000000000602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=903228CCA8BDBCFE3DFBC732A8D34EAD,SHA256=E192D60DA503E2320D65F7B1BF2204EB11702E9E7E4EE504463B9580DAEB3179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62ADC85F1C2DEC5F703843F7648F877,SHA256=98AD31D2793C5EDB1B34CFECD8973FA0AA971995C5756B88033709E6803F081F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:34.139{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4A89E9D1E336186C2B338D0FF47340,SHA256=E349E4C8D0328521B7DB80D583418DD83088A81EFCC00C02EB331F7E0BD4D218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:32.648{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56016-false10.0.1.12-8000- 23542300x8000000000000000102603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:35.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6EDDB5EF8133E717646B6AF1DFCB72,SHA256=E65DFF9D2E826C5A89CC38D3EF7C099515837B25604F9DE17223E348090F3E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083846Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.988{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=903228CCA8BDBCFE3DFBC732A8D34EAD,SHA256=E192D60DA503E2320D65F7B1BF2204EB11702E9E7E4EE504463B9580DAEB3179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083845Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083844Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083843Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083842Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083841Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083840Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.248{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.249{6F8252D3-CEBF-616F-6702-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ECCE6AFC9C2B2ED7B0749EF24E1B8B,SHA256=582587C733D47EFCF20183EF25E581C8414AE93B5F2FAD01C644B9206312C952,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.045{6F8252D3-CEBE-616F-6602-000000000602}26124044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:36.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BE0786B8E10E85E418387E19AAF7CE,SHA256=E58DCAD554DD83618F58814B267794FB494CC8578B722A897DDAA82BED1ED873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083860Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083859Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083858Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083857Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083856Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083855Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083854Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083853Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083852Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083851Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083850Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083849Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.941{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083848Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.942{6F8252D3-CEC0-616F-6802-000000000602}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083847Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:36.191{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40242B9A3511E787035DEC52EFFEF066,SHA256=87C438DCEA815E8E76406A6783B037176021340514EC1BA3EDE5612140A3B6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:37.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8E4C6E7C942DBEB508435FE677C301,SHA256=DB12F0FCA55E5B15D0A682C7B40AB21BFFCA3652C5D2C3424F092DFEC42F9075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083876Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.910{6F8252D3-CEC1-616F-6902-000000000602}33762600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083875Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083874Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083873Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083872Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083871Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083870Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083869Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083868Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083867Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083866Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083865Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083864Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.613{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083863Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.614{6F8252D3-CEC1-616F-6902-000000000602}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083862Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.223{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFE26CFEDB9DFF0B875C0597E499735,SHA256=147941A13FC7637D82A406DB5D8B66D1EA4221C38D35A4105CB65DB411EAF1B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083861Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:37.129{6F8252D3-CEC0-616F-6802-000000000602}6363132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:38.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4C9A177CAE1AA43CB8B8B05F6831CA,SHA256=2303E40FD00766B937820BFE8B7E0C0E85989A3801870943069C1944148B50C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083893Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.519{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987FC58F19E4AF6BA73C149E28DCF356,SHA256=E316301666976321B55AC81CC884EFA9465D6F1655CCF9CAF06A201D27E1EFE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083892Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.316{6F8252D3-CEC2-616F-6A02-000000000602}34881692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083891Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:35.748{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50532-false10.0.1.12-8000- 23542300x800000000000000083890Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.144{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2C3A1AD2E8C37ED39156AFA3889675C,SHA256=3291D8897F4BA31E560A39B68B7627758CF033FD97C5DFBED4BD6B2613CBDA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083889Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083888Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083887Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083886Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083885Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083884Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083883Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083882Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083881Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083880Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083879Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083878Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.113{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083877Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:38.114{6F8252D3-CEC2-616F-6A02-000000000602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:39.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ACFFFE9C3958C53CE68A0AA27E6EFA,SHA256=6F2424F191A4490C20F2B89672BA58EE85FDCEB52919A770CC0ABFB605864470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083907Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083906Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083905Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083904Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083903Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083902Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083901Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083900Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083899Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083898Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083897Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083896Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.613{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083895Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.614{6F8252D3-CEC3-616F-6B02-000000000602}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083894Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:39.316{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69DC222E3D814C5C66C7099EF8EB909,SHA256=D752B7D3B06DEFCFFA0D9156E80A406A0F5B371259ED6EED9E3C849DD35E17CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:40.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8807507CC103DA45DA5A784D5DA9466D,SHA256=37EC33F08EFD55A64A26D35DC12D1C361676C72D23808F838EFE50AED1B97B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083909Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:40.676{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF7A84118E2F27AE6059AA6679EE857F,SHA256=F09F6B12A50E304F60339ACB03D03F543436C25CF48B34174F38AEC148BB6AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083908Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:40.348{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B3C6F0D165EA528342FB6A5F350FCD,SHA256=F3EC2B78DAD9FEFD7E11AF8E8E8980BD276ECF5FD4AD1F1BB1B1DC2533FAE21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:41.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFACF752B769FB50E06D585C7D9F7C66,SHA256=E0E43FF2DB7459CE7A8F9DE68D07661200B07C1C35A41E5C8A0DFA7E1D072569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083910Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:41.410{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DAAB9F34BD7B79A5BCE80B4DC4DC82,SHA256=E2ABEBB977587AD98D8CFA42657F4948363F9B11599502FDE2100CF5B9BF77BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:42.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C62419F1BFB67682FC697B46AC21977,SHA256=FF4E7AF75754A1C92C15FA7BA221CF6BB0FF734DA82B02F9941BC27BA1B104A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083911Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:42.426{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D62B2511286762F22DBC08734CABD5C,SHA256=6A1CA972F87214D7A9E952B3A55BCFB884002FA7A9134E877DB854BD27F81BF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:38.513{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56017-false10.0.1.12-8000- 23542300x8000000000000000102612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:43.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FAB797A8FDFD2C6942D0BA9D2A0F3F,SHA256=38EE66B78BBA712F294CC61D018B6F2E99711236C3FADB952637EC5D59B0346C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083913Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:41.748{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50533-false10.0.1.12-8000- 23542300x800000000000000083912Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:43.441{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51533DA8F5BD955621F49213E98F1E24,SHA256=9FB9BC92CFEFA9AC3C2208F864D8EE0D37A42C1BED0F75056EE1D9148C013CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083914Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:44.457{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3823D5AF0E65CFE1F86E1C2D94F9589,SHA256=467DD63C601289A50B9D5319971521118670CE0BBB069752CFA329E6609AB676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:44.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2200239BA9E8CB5ECF0D2FD19039895D,SHA256=4434B8E5401ADD629E4AD9F3C0E86DD8CD317CE7A3E638FE9127723BA7ED6FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:45.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE282C5F0B5347652162DD4225B1339,SHA256=79FDE2D8457CA9E2A01E8E03D763D31FC9EA227380AB0FEA4555FB347FA253A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083915Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:45.472{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC27613368165CB1B0DEDBCF96E28524,SHA256=3A325BF57494B7D622D9F92F266151C8078484063AFA1523E850EC22FECF8134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:46.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DCBDF5368E80AFE1B1CD9978F795B8,SHA256=77A94AA825D68B711E9EBA334C79D873CD0F57D1CF05AD453066833F25A8209B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083916Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:46.488{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AD2B921697754CF2DEBEFC7E6B476,SHA256=E9DB41CC92324B763B40D7BEAB19A3B1F8C8FE49EC24C8F8744948827B9CE992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:43.638{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56018-false10.0.1.12-8000- 23542300x8000000000000000102617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:47.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D20F9658501A53D50FBB2C74357C3A,SHA256=C55A66F09B01BEC796EB6927EB152175C59CC18C6A853A2481D59245CFE228BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083917Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:47.504{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1F5E6EC5E99ABD118DAE3A4A19A5F8,SHA256=A4BF72B00AD7AD16873E897EA29E47521191C5B779D3446B881A4E6FD5A2B9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083918Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:48.504{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19DC58DDA2675FAD1226CEFD47D87A3,SHA256=63C1482F1CA97CFB4BF2B72AD1BCB9960C8ECD89B4E566F49BCAFB78A7B9E673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:48.841{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35111D03E1A2538A682E9B8C297D9839,SHA256=4EE5171314334DF7F7DF2207EC06042CD962B404A1AA0AACB68DC59528C1FC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.935{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85124704DEF0CFF24F647994074BBBC1,SHA256=EA18014F6758D938697110BEF1C0F4B65C688E7042483B67FA5ACE295C668021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083919Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:49.519{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7DF0471317CFCB7EA66908B64DD579,SHA256=8D3D5A3219DC88BBA4CF20A7D28E15F975BD0183B0419F9C9EB9E00F75724E9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.825{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:49.826{8D4DD44E-CECD-616F-9502-000000000502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083921Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:47.748{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50534-false10.0.1.12-8000- 23542300x800000000000000083920Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:50.535{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5077CC714F26180E22674D3E763472B8,SHA256=A7A276D327E51A726D794F910DF14C224EEFB88903237AB72BE9AF2CC70C48DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.326{8D4DD44E-CECE-616F-9602-000000000502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.029{8D4DD44E-CECD-616F-9502-000000000502}33602724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083922Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:51.550{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2FAAE00E8B3EF413C6234D7AA235FE,SHA256=8916FB6AF00FD3F28CD8ADB4928A8EB19C37B5BE008B3BED71541FF8F71D396E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:48.747{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56019-false10.0.1.12-8000- 23542300x8000000000000000102662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:51.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917EF7E351F19504A6364F12013F5AF6,SHA256=65D909EEEF075C8E7FF0924542A2B5C7F3366CA13D547F0F9A73FB002F2C760F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:51.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14CDEDF2AC930D5FFB02FE1754E5CB3C,SHA256=23498F8E347937D737F39455062135876DE58DD7C6285244A4DC43B1B6DCE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:51.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012AC852AB06E96626A4995B51531AE4,SHA256=1087CB254C0B4534FC555AFF1782541AFA39C48045B915A777A6662F3E4A4531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.997{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.998{8D4DD44E-CECE-616F-9702-000000000502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083923Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:52.566{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431E9523FAAD1EE393928B9FC0B211A7,SHA256=E6AFB906841296220A1A81B13B11491B8215637D505FCA8662A7F9ACF2B9C88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.982{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.983{8D4DD44E-CED0-616F-9802-000000000502}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.435{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56020-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:50.435{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56020-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000102664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:52.029{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FBA9DDC235FE163EFCA4A00896BBCD,SHA256=084FD848C8149A69F5E340CDC26FB47255955414F0B28731756F49D699C6F8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083924Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:53.566{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E1EB47637885879595ED6BC276ABC3,SHA256=BDFC20D29553E9A31E9A9D1DD53834FF8A7775D71857B1F6B66E0DF009E7511A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.857{8D4DD44E-CED1-616F-9902-000000000502}50204000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.654{8D4DD44E-CED1-616F-9902-000000000502}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.154{8D4DD44E-CED0-616F-9802-000000000502}42082660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:53.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD54EE3E3D3E4B15846A49C2F10A41B6,SHA256=938917077BDE1579F27EEA6BF4054B8DA3E671C7B879A30A0838F181E2B0B0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083925Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:54.582{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D959638C8407EA310ECF71BB4382516,SHA256=090A747C72DF759783035C474823BB97026891A975BA255BE7A1991BF492E744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.544{8D4DD44E-CED2-616F-9A02-000000000502}50164316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.326{8D4DD44E-CED2-616F-9A02-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D0062EEBA4056A0B5729E0DB8CDB69,SHA256=D347A77D898E36A532F5B6D039C5E65CFF9FAFF66DD9A4F48F6F3C111A40B98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917EF7E351F19504A6364F12013F5AF6,SHA256=65D909EEEF075C8E7FF0924542A2B5C7F3366CA13D547F0F9A73FB002F2C760F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083927Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:55.597{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043EB5B036C60526886A5B19F9722191,SHA256=A3C7D5C97CCE3DB4980DB7BFAFB9315F5A0AC93A30F71CA68C17255FA89C39BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.575{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.576{8D4DD44E-CED3-616F-9B02-000000000502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.341{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD10CB4F4B953EF5BEA078CD09F332A,SHA256=11D830C970634C2145AA79BC9C5B2B9C142705CD0C47563DC9CAD9BE4D7D0264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:55.091{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9467AB0BD653A05943677D6AAF3E1F,SHA256=4D31026EBA58DCEA32A3FE2D2F0D0A851169DB98FDCA7F606B84DABBEA91B5B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083926Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:53.716{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50535-false10.0.1.12-8000- 23542300x800000000000000083928Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:56.613{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A600FAED37CB143298E9AB214C2CC7,SHA256=B47FCEDBD28C7EB68A693FA1678ED9E1EC25946885D81E3820965B0A827F5842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:56.809{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508CDE95DC8FDF426BF455C29025A1D5,SHA256=C581F3F720B203F1BE3B58B909DA0046D4EC7B173EE09988795285755282CD27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:54.622{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56021-false10.0.1.12-8000- 23542300x8000000000000000102727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:56.106{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9EE20AF595A3B609042B945E2200AA,SHA256=8ED2188767990DDDD327C2CCBD1517690997C7CC75AF72C4ED67E631AA824635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083929Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:57.628{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74198392FD2099A98192926107D14547,SHA256=B594CA50B5F949709950951B8951CA63D1F41DBBE2AA21F7694164CD9086DE55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:57.184{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22879C190CAEC2AF771D1920A1F7DAEC,SHA256=07D831A96B789651C62CA856B5ECB33556BB8BCCE84C627BAED89CFB1DC32006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083930Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:58.644{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFBE83888F345AA580E22872AB125B5,SHA256=823D801789559BF57332D6E6956FE1FBAC7AA66E644D8DCDACF683517DB857F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:58.216{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CD8BC6030B84B77EC2954525052A66,SHA256=C7D9B4403BFCF2147F6433ECF2B39C341D76401F2EBE31F833C5DEB2617D686B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083931Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:59.668{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009D6D10562D8563CE7B13D4B45FA81E,SHA256=46AEDA4430C79F45C795D3475348F66D87CE85B405485CB7F7ABDA8D8894388C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:09:59.450{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A056F40D9ED8DBA206BFCB34E31D239,SHA256=255C9A10B5D3671342FD9414C53953FA70E45D22412BABD021F5AABA624192F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083932Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:00.675{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FFE522A1E098C5EDF01E5CDEAA6675,SHA256=C96D38942D073801203A7F0E4A0EE3738253C3D6340F3D07F9C4AD61FC7D01F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:00.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922BA198C79915126C3ACE10852840E0,SHA256=92503A62C9D955A3CAB6270EB1DF0315DEFB46208E2B4C021B1EB4E5B342CE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:01.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A18C4BC8B99A7300C698C5FC7A9B8D,SHA256=657752D8D993EB44E0FA0580B655813A7812CE79C9564147DAB0D45A0D71EBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083933Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:01.691{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298B19437BAE73F3EBAA70B25A019F66,SHA256=79E90CFD667CFB60D07072298699A275694386F7CB40BB0EE0ED08C137E19CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083934Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:02.692{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7670D9D65DBACF896AB8B33EDBC59B28,SHA256=C7E7EB189C922BE7DE4166F2DAC74B441A6DD1C208E726E3FDE1DB080D822A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:00.528{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56022-false10.0.1.12-8000- 23542300x8000000000000000102735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:02.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458652FD45F9F2C2F11E73E528AF883D,SHA256=CA7EA91CB1FD25DAFA922EDA1615AED6A5DE2C002F19BA6FB484B76318739586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083937Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:03.697{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDDC0893ECE0118EDFE4B6D7AA0C1DA,SHA256=875CB859C42172A6828D67177474247C53D55E68B49771C4558DAF183C33A395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:03.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53FDD93418BECB719E6960E370C80AC,SHA256=D98A5C56A5EEDA9EDDCEDA44BD8E11F6452B94FDCD7BCF6140985C6FB0A1B6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083936Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:03.007{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-064MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083935Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:09:59.700{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50536-false10.0.1.12-8000- 23542300x800000000000000083939Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:04.698{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F562BAB2C79084F0A9C64C7374ACF4A1,SHA256=DF1B39CC1B5057DC243B8A8408A8D9737DFF756CA2180784FAA4B22D993E6E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:04.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E73C7058C4B1B677D151906CAB04DE,SHA256=7BDD777CAD052E61F3F22F028531E1BC9C80D5997FB2412A91594C46445FD565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083938Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:04.011{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:05.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9767DE53C738D37A9F67D663706D6C0B,SHA256=5801F39F503CE728A50F5570A998696D47E0A837C837878222D3D54B96E848DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083940Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:05.714{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63DFA978BF60C120FBF135CCE689015,SHA256=1050AAD62B877E6A9FBB55B17042E0566E4EEF078AA563E21858878FC74E3635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:06.606{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58C551547197ED141469C34CC7833D3,SHA256=BAEEEF56C22F01D91E2B15D9D51CB556F1BBFCB13A8C6575C3F8FAA6949602BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083941Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:06.729{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33732B5991440AC5E90BC7FEBF012E10,SHA256=760DEE29BCDD8536C920D29DE549D547CB5D6D79D51BA2F04C5575923DB21C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:07.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28701A3580949B510134075EF35997B,SHA256=3FC0C8BB003AF3D61E2B20AE00FCB085F088292BFECF8E3379C49BD3B6A4DD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083943Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:07.745{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177AD014812C9B6EF4B4EB88468EA72F,SHA256=2CB6BFFCA9114FD6B15CDE6CCDE869E5DBC8C070AAFAEC993F8E2DE40FD29AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083942Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:05.661{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50537-false10.0.1.12-8000- 23542300x800000000000000083944Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:08.761{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22B7253D7BD148741D294AFA98C6870,SHA256=444B79D551427F608F1F6979C545A743F88FE186BFFD1A999477329F88276EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:08.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896FF5DEDE7B2B0309091EB74F245F8,SHA256=51C9D21F3E90371B4A6D8AB8F6A5106EE550B2EB8C5A6E89E3A620B54F6378A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:09.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47546501196E88D79A01D2815E53D77,SHA256=EA11F0120C22084D6728BE8C3358F50953643B93E0F1B8F0A3914B5CF7B55CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083946Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:09.776{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BEE6A2BC9F0673BADDC1DD1EC20F43,SHA256=A16133497BAED804A915FA481B70E990FD60ECC354AA59B0E146C65517BF51B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083945Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:09.557{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:05.654{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56023-false10.0.1.12-8000- 23542300x800000000000000083947Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:10.792{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A868ABA59B032F0F2BDEF0D4A1BE93F8,SHA256=9C135CBADE607BBABA4A8C4DA39B6C9FF210BFE414DBAA5B1F79DAB9F2B5817E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:10.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAA14D8ECCAD98DBB60FC0D5E51C01E,SHA256=70C7ABDA8919990A5E1453F341CB98BCA7C787B1C2C61711B83AA920C48D9CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:11.763{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A433B020AA70D5D65B736BDF8846B785,SHA256=DB0E269E56B20537E301ABF9DAE747E03AE8655C0017B844AA7AC977BEF59A11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083948Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:09.098{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50538-false10.0.1.12-8089- 23542300x8000000000000000102747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:12.809{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D52C7A916302D4FBA5089259D0CE1B,SHA256=1EEF206111033FEFE61F361E28F74EFD87931F62945B45E22EE99C324A1007B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083949Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:12.010{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FD2628817C147778F182C7C5182BFC,SHA256=1743DB0F392E1BF878E262CFA8408FD3C9AAFB899F7798A1D51999C295C5E921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:13.825{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A786E030B14383FBFDE8D7600B39DAB,SHA256=ACB763DC1D36B8101682B65E829CBC6CC83C375F75D893D9211E5B4D9D9A3D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083950Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:13.182{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A70FB68A92B9BEE4706CA522C10708,SHA256=2A33ADE18DF5B44739B7AB0B1AE210FCA9FCD28452B0D43E604F245D7C6047E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:14.825{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2162D05F93C7C31DCC8882A482DF9E2,SHA256=70342E969BB76162FF34F5A4267EE4ED310CDFB0443A107B9FB7B0A8FF8CCC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083951Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:14.260{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409E9F861DC30BB0D2080BE13306559A,SHA256=4A91B610C1F0FE87496ADC02983954AF09B2F5868F3774FADA0F3AD38B93537D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:11.591{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56024-false10.0.1.12-8000- 23542300x8000000000000000102751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:15.854{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6227C07A438B0F7551A7DF73DDD59,SHA256=0BA887626D8E311578BCAFECCF35AC1E26BA4BE636381360E0D3EE49CE3866C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083953Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:15.401{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC961D67F331F7B5B7A2770C657C45A,SHA256=FD6245B4CC6BAFBEE30082A7EEB755132AB9320D9D5912ACBB3B93146252F16A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083952Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:11.707{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50539-false10.0.1.12-8000- 23542300x8000000000000000102752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:16.854{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE59E09AA48A005E4432B47AF6A917F,SHA256=051C50C87003160D04843A2284142C7651EC697025165ED108256D31802A7C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083954Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:16.501{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478EC72A8DC0DA92D6713090128A8628,SHA256=39CEF49C6E67A0A11E3B4C3F790048C018482D38D2CC308AD07048F2BB9067C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:17.863{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D286519B9E09EBB756CFFAC355532241,SHA256=F1F1D88D84ABFE1CF4D18C9B4CB78D9D0B1C9D928EE3F8DA382E22054B199D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083955Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:17.564{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1248602998E7C9F63FCAB826BDF33642,SHA256=644B523582CB0D9C0D4CD0EC40C7DB5337F3841068D5FC3DD1B8601F1FFE0FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:17.561{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-064MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:18.877{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A72BD4A70154A5005092C3623B4463A,SHA256=5FD4B2B2A8F0EA790CF5F151FE9DE1804625AA915E2EC3C9F5E965F8A2CB8EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083957Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:16.776{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50540-false10.0.1.12-8000- 23542300x800000000000000083956Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:18.657{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BBA015868E28571E34629D84D45F69,SHA256=A6BC604B55017C6D78BD2BE532EDF575F8C752E91E606B3FAB36BC16A2031850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:18.567{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:19.880{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5790F67BA6C1C7F7C1BB5CD4B89CBC40,SHA256=2271454782D5452DD2EC4E4FAE5A409E6DAD46FA1446159192693E691FC39308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083958Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:19.704{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916828045A22C5F473B7517D30B88CB6,SHA256=965166C24B14F91130F491ACF7FDE24E60D4E49943DEF31D46291632D91B1DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:17.598{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56025-false10.0.1.12-8000- 23542300x800000000000000083959Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:20.782{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC2E2A2800E2EDA4A3B90E1E2AE5769,SHA256=DC6E683B01BBFAD22A233BC234E73ECE1F9BF420B0EDB46344AD07EF4EAE2B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:20.896{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221AF4B17050F45266BC046B81FB0FD7,SHA256=AF2B1A386E7FCF8DFA43C29C73E3850B12B99FD7DD52A958D3386B104462D71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:21.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE2F5CF3BB5CB2C4F1C5AAD355E2F9F,SHA256=74EE1C357CCCD1DC2B7E62D65E7110C82ADFCBC03522CA48CE7F7307F01A2141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083960Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:21.829{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E6FB4AE64CC51AE567D26591EF96E4,SHA256=3E6FB788E26D377B23DEB31C46DDC53C12D80083C2CB1F07AE1F9AC3131A8439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:22.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14263F565830565BB57F1F7C631F9CDC,SHA256=3DF0896FC7381FDCAB46653A2F5C6C3344C2E506A152BCA34CFDB1543084AC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083961Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:22.845{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B50807A5AE5CC30DCC914CEAA59F54C,SHA256=F04380827FE7D69BAFCCE525C994541CFE25C3A0AED93B38ACD71FCAFBED1B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:23.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5436B9C6DD8950417D6213C4A6DDBF3,SHA256=1AFED5811EB8986C934A262B3918C84E3ECE1BDC7F6D05458402D6B00A992EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083963Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:23.892{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF740739AA0D9470803B64E123AB898F,SHA256=7E3684285587D9D766E27B1A998E075994D653FB751D96757F5495BF72E9ED87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083962Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:23.079{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=86089DBD44FA8098180BA387A7D91C75,SHA256=E1AB4781C08CB2969EE9D73CA81DA62A166C47A38ADD8040613CF1BE778FD541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083964Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:24.970{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CC6B57406CC9FCCF02341EC682DA63,SHA256=1B6D4696D3F98B8C5E53A04332EA65E95D2C18FC5D88A2455BC3089BCEBC0919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:24.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09CEA5CB9C9B6A9A586DA1F1C2CACA5,SHA256=05CBCA4C7E511571E9DB3B84FD4AC1A0399A3575A428C90392768233ECA431CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083969Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.985{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1EF4A682BCBDAA590B2C7D0066812E,SHA256=7523EA27246EC30FDB20DFD04E5DC347BD0BAFE298DBA499CBC8EF842B58D3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:25.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94B6B186152CFB36818421BD0844FCC,SHA256=4592CDA7ED41829C1A92D64475681289900ADB4420277C4DE70E3A981AAF6605,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083968Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.313{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083967Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.313{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083966Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:25.313{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000083965Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:22.792{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50541-false10.0.1.12-8000- 354300x8000000000000000102766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:22.662{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56026-false10.0.1.12-8000- 23542300x8000000000000000102765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:25.177{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:25.130{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=35A5DC9855799EB554271F2657FEEE41,SHA256=57D62EFCF53E34522D9F07AAC8B46C1A8750DD6DD8B89C098B4850DB19596EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:26.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBA9FAD8E195D9640FC498834A6DD32,SHA256=C1E83E5A354482396D966B2745A894783CDFA3428E68C745966578B36BAB2ED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:24.647{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56027-false10.0.1.12-8089- 23542300x8000000000000000102770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:27.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AE4F2F9844F72F4AD22452B93A3622,SHA256=5CD051B7DC24AC4EADFA55B7C2AAED7E031517F8F1DF5BD14A526C320C173509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083970Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:27.001{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AF76C68A45775F93CF2604782075CF,SHA256=59ABD8BEE6869774F12907DB704BD88915E6C5C238806C6461130CAF0D98577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:28.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B987AB5E68A518764ED866892B4398,SHA256=9DB518F1534904EE881D261C2315EA9852948E8F4B11CDE4D725BDC91ECF57AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083971Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:28.016{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0346B0AD3F7EA56CB014C020DD794B97,SHA256=8C46684EF9C9EF69342217797FD25557EAF5BB8916E47C0F66338196B45A4E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:29.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E27B684B08D9463271A91BC3B923FB2,SHA256=757F38C1AEEB93F46CAB52C5CC5CBC963B684C7AF16575F56D5E83785E5CF37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083972Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:29.063{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22447F6F9ADCD8BD3AEF03187ADE7D80,SHA256=212E72B70342AEADEA7DA37603751A59C24CF9E8CDE7164D2DCE8877007426E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:30.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16109EF744E8167FFA76AAE1A37E6F36,SHA256=BE14CFB8FD5DD6EF1D6B61CC8CF98FB55E66D95C0C00EB6BC249C23FF619C49D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083974Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:28.557{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50542-false10.0.1.12-8000- 23542300x800000000000000083973Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:30.126{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD3A3C8E09A61A3E8B1BE12D414A7CC,SHA256=E4F89DBD3D7E8CAC92F88745642D5F7794DC731D308264CB0BE63FE353E909EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:31.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89287E0C6454712492A3C0DDF613ABB,SHA256=0C4FCF3EB7DDA56A0ED868D3C034AA87D7C1BAF73F4E7B78D2A85DF19FF824E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083975Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:31.188{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FD8F73CDBC1453DBE4794DA202B39,SHA256=CEB200A62579D912BA4444D825E3B724EEE4514925683C15984F7DA9743F67F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:28.537{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56028-false10.0.1.12-8000- 23542300x8000000000000000102776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:32.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F899FD6B65F98D3AF07351648AE19695,SHA256=722BFEE864FA94B2C1CEB998713AA3B629FDC714DBDE91FC79EA50F3C90BFFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083976Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:32.219{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38594D1F0969B10CB4430B9536F7F45A,SHA256=644CF3015E2A2BA7EAFFC4AE96A8CB52878800D6F5215C1B6238637C25CFD076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:33.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB63B457CB4409A426D01AB8DBEC1E1,SHA256=6012A260B3DDCB55A3E2270C683491F4800F801967E27445460E0BB0F16C682B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083990Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083989Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083988Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083987Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083986Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083985Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083984Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083983Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083982Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083981Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083980Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083979Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.407{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083978Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.408{6F8252D3-CEF9-616F-6C02-000000000602}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083977Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.266{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF573FC9A4699EF0747B19C701B9195B,SHA256=65247C854F851FB6E20D17B1A7C68F3FA3A4EB7EA530A82E23E4C30E85417E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:34.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844D0334A944837C2BE0E59320EE4CE4,SHA256=F07C9F35BC1AA3565ABB933B05E9AF4B3BCCD839202EA823460E985A1D5EB20D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084006Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084005Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084004Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084003Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084002Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084001Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084000Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083999Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083998Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083997Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083996Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083995Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083994Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.751{6F8252D3-CEFA-616F-6D02-000000000602}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083993Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.423{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF0010CAD19409C57254379FAAC34E3,SHA256=A1DA4B686CBE9368B78EF6FF6840EEC87E9FEBD7D0A5B86F9154654653A72FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083992Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.423{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A664D05F0B5E4171FE7CB932E8B60916,SHA256=D3D14D6E25C891C7BB99D888FB8D8C3915382B4F8F4CE8C75593F8FE37CFB8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083991Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:34.282{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BD31CFB9C12D0B62CDAA08445A3658,SHA256=55FD01FD3C1A5F138C85E1F4757B5C40EF33069F9BBF305ACEC048B141ED2D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084022Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.787{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF0010CAD19409C57254379FAAC34E3,SHA256=A1DA4B686CBE9368B78EF6FF6840EEC87E9FEBD7D0A5B86F9154654653A72FD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084021Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.626{6F8252D3-CEFB-616F-6E02-000000000602}15481944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084020Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.563{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234D5C3A2653F38BE61B7AD9A837DEE7,SHA256=C866CF32F1EFFAAF217307F30D9097D7C62280E7B95580D7C61AD9100C533C95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:33.616{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56029-false10.0.1.12-8000- 23542300x8000000000000000102779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:35.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539437C3196B7463CA3BEBF501C1F19D,SHA256=B0F9C1738A445832B5869AB46235ECB31F8F18CEAE1D4E73A617A5B608B0FC04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084019Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084018Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084017Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084016Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084015Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084014Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084013Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084012Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084011Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084010Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084009Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084008Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.422{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084007Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:35.423{6F8252D3-CEFB-616F-6E02-000000000602}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084037Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084036Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084035Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084034Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084033Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084032Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084031Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084030Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084029Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084028Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084027Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084026Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.959{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084025Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.960{6F8252D3-CEFC-616F-6F02-000000000602}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084024Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:36.787{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99206F840B61E4063D8AC7ED11B2605,SHA256=CD3ECDA6237026CD98C6BF181F7173EC01EC06BF12822A76D4BC5CF4F418C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:36.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2395F1819EB059722208B86ACD12AE,SHA256=3C6B1D2E976A03198B9ECF86A13DCD0A5F6C289C318C058F949EBF37AEDAC416,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084023Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:33.792{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50543-false10.0.1.12-8000- 23542300x8000000000000000102782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:37.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDFA58296DFA9AB94F58E82F73CA71D,SHA256=2C8054F106875B24D6CB4B803FEE7CF72F97A3F21B57F41B45B3077CC8D4B058,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084052Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.615{6F8252D3-CEFD-616F-7002-000000000602}32642432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084051Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084050Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084049Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084048Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084047Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084046Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084045Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084044Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084043Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084042Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084041Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084040Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.459{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084039Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.460{6F8252D3-CEFD-616F-7002-000000000602}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084038Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:37.209{6F8252D3-CEFC-616F-6F02-000000000602}34442380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:38.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE68AC0F68B35AA76272E2772F22DAE2,SHA256=DA4C6808258CA4F9002FCD2A214EBFC01D50A6937380F2A2F8EDFD7B3765599E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084068Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.303{6F8252D3-CEFE-616F-7102-000000000602}31362760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084067Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F59BDD315D16DF115FC1A04EB3DCDF,SHA256=CE9AC7532E0DF1EAD6900355D95EAA874EB67E29703A9915508942196E9CF124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084066Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B65825E389E4BAC6E9BD47306701F00A,SHA256=47DDB3292D99B272AB78FBBB985C0096B84EFD89D65AE449D385770DFE5C2849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084065Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084064Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084063Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084062Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084061Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084060Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084059Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084058Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084057Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084056Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084055Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084054Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.131{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084053Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:38.132{6F8252D3-CEFE-616F-7102-000000000602}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7235FE16C85A64BBA5B41B4728BF42D3,SHA256=55F45D91FF5B6B2C2293B050DE423B2B1DC6D48CC1D735B17056EDAF72B92EA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.615{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.616{6F8252D3-CEFF-616F-7202-000000000602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B032DA63D49702BF492D35DB89B773D,SHA256=D0F3B8A9EC668C900389B44325DBEE55066ACEEC9579B304841B7809EDFFD50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.162{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603A2E4921AF6F7982435B6FBF1282A1,SHA256=4D9C8CA71E1AD61B8F08FC8E45D45B1160AF78E802EEAE0FF25BBEB403A18C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:40.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BAF06B1F159315782D0DFEF6C05B7C,SHA256=6F1140EB47749E50CF229C8D42F2FBA4FD3BFAB455BF4CE6F20696FD2B6FB157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:40.772{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD05B3DE50704D63C64A227C8374B035,SHA256=375B032CD60E32B6317C87A40E4B1A7E08DC37AC84317053114F8DBF1DA9E241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:40.178{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2CAE50137624EE04F6E03161A401AA,SHA256=082297BFF9AD1339C8DC988C19F573E617E213FBA0CB5DB4394F0F29BF7E724F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:41.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC723C5E1986039334DC0E97D9490CAA,SHA256=3C79FAEA64E0E736CD9350B15AABD40E3DFE51C98663CB26F09929332A9311E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:41.193{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FF1EF5030137B92626902402F4FF16,SHA256=7D3A27BB5172897C3B64883B2FF77AB6E153E52BC81E9002DDE6BC065DD86D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:42.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA25E604E138B3BB69B7BD9877845826,SHA256=79D7A77C36327B2BB5355085C1C0B0A513F982144EBAD4EC2072A183AB9DF616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:42.209{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8B30EB59B9016D2EAC5AC95F0F11E4,SHA256=637A92E12D622738B633B2DBCE7F22CEC56CC3AF143953B797936E1E617B1565,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:39.563{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56030-false10.0.1.12-8000- 354300x800000000000000084087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:39.734{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50544-false10.0.1.12-8000- 23542300x8000000000000000102792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:43.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF008328676A9F1FC056C74811237BA,SHA256=0B5512D3E4675CDC8348811C3EA0FB957093B414C05E7A597AC9CA1007F8B977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:43.225{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435F47B0351F203824B4F30A653F5577,SHA256=3850EC5C7909606A0EFF856F7B9BF6FC1794A764BA0981422F7981372CA89F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:44.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F19D1F62783C7BDFD9418457FE9CB7D,SHA256=6F6AE774E108D212530D7AF340FE5F626971E5A1710F4FC0D0021D0640096604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:44.225{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC92A2AE6E4A25C26447EBAA95CA665,SHA256=C2265B21CC313EF9CE876ECCD66F9688F624D37B65BC265B4C2FB30BFC916BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:45.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3597196599125B4B325CDE707DD235,SHA256=929682CD256BD14AEA9B4FF9C51E12E9D5B5085C5E3C55A729BE6F699EF23719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:45.240{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA2D3EC78E1ECE4FB35FEFE2A0DE4CC,SHA256=1DBC5E2195A895DD00F57CF12F389D736316FED6F39EEBD2E297EFFC4756A996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:46.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B2BED39EA58C992BDB9BCBBDA8FA3C,SHA256=6877FC06D1187ABCBF509F6BDD074B0404320DB1FECEEBF0444DCD27D89133FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:46.256{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5C1953472921780B7A539D2641C4ED,SHA256=CD7BBB5EF78F115207434AFDBF259822F372471CC857A750190E78EFB55DCCD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:47.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26C5FD048DDBC83D798738C0311501E,SHA256=F9E3A5C8D4B92EF2A7924A56E078C2BC27154C54664C00F48FD8BD1CBDB229F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:45.718{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50545-false10.0.1.12-8000- 23542300x800000000000000084093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:47.271{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD4B69A94EA87788A16AD3D119C7AC8,SHA256=12F275053B56C70EABCBAAD85CB93469F9F92FD5421710225FBBFAD75621887C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:44.673{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56031-false10.0.1.12-8000- 23542300x8000000000000000102798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:48.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2A3534E758D8FAB92F236A74E2800C,SHA256=17BF458F1250CBE40E08DAD68559EBBEC76CEC966D50F622F8519C4083528C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:48.287{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77E2C1003F7C9A617E24BD35263FEF8,SHA256=9AA8AA8F9A0F662B7EE3AE285156DB83C4031049A29BB7CAFC54660320E1ACC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA2B82BA981D6EE72D893FE7C048F22,SHA256=F9ABF4BA4B7BF406149BFB49E775D465B904E1E454609B567C62B6B2B7A749C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:49.303{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9DB7068445C08486537F0A3085E2A7,SHA256=AB2A70142786B0DBB7B07FFEEB3896BD249B59B45458EDAFA3CFA8ED9F89EDD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.812{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:49.813{8D4DD44E-CF09-616F-9C02-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.937{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.939{8D4DD44E-CF0A-616F-9E02-000000000502}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C5C2E6372400FAD154201992B4F5B8,SHA256=7D6A8ED3C5374E7C05D59E442AD12DCBFD847F1842519DD6E910004EBEE336C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF01312245253175D176BCCE79A8E62A,SHA256=25FBF98225CB3DF3F1794A5D41CF2F99DFF9B5FCDF6BA8E11B4AF3BD1945A517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193C70CB4DB80D6CC2D19011C64523E1,SHA256=CB77E8B473615C4FE7DDC571DDEED3FB2DF6B64E8F4EE2E8151C0EB5B2319DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:50.318{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E129B4ACE1D4099C9A2A085184A84347,SHA256=3BE202CA8BEDD4AE24E718D2229AC45DDE2386767E2607B52411B687A1D466F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.312{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.313{8D4DD44E-CF0A-616F-9D02-000000000502}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.124{8D4DD44E-CF09-616F-9C02-000000000502}13084688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:51.968{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF01312245253175D176BCCE79A8E62A,SHA256=25FBF98225CB3DF3F1794A5D41CF2F99DFF9B5FCDF6BA8E11B4AF3BD1945A517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:51.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE42832A65A37383E59DBB0E9EA53F6,SHA256=1FE0FE9B0E659827A372C5F03033422A6D4DC77E8166D1AC9B9EFE657409A469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:51.334{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403D222068A040BE3183389C7D3B7A3D,SHA256=7BDC2E2B4465D4531C05C610325F18B88689CF0C818E79C1BA6AECCB62BDA937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.968{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.969{8D4DD44E-CF0C-616F-9F02-000000000502}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:52.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AE4FF50261FB2650AAFA32EA6F924C,SHA256=182EA567EA8CA567D6BC0E7E23EAE6529D0E359DE602733F2E928E322CC3EBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:52.349{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E566B65B1E6D3DC49BBB1631F15E300B,SHA256=1C2F81407C49BC066F9DFF56F7CDFB8DDB29D5A65C9003A09A74413CA1BE8BF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.438{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56032-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000102845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.438{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56032-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000084100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:53.365{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89878DDFD7BA40D056EFF9A522ABD0A4,SHA256=02608E1233A88E5EE31194D5BE48EC4AE1F019FD707B64F1946E57B1E8506EA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:50.579{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56033-false10.0.1.12-8000- 10341000x8000000000000000102875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.656{8D4DD44E-CF0D-616F-A002-000000000502}19322860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.468{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.469{8D4DD44E-CF0D-616F-A002-000000000502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:53.203{8D4DD44E-CF0C-616F-9F02-000000000502}45124624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:54.381{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F753B724D3F9E1174C278C936396F3E,SHA256=147E7B0A366AD708554B747D3BFAEA3F60CEDF15111C0E03370E6B106F8E2972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.390{8D4DD44E-CF0E-616F-A102-000000000502}36444148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.359{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E4007BF30031A0CFB5059C529E77D97,SHA256=064708C01013A67F43B7ADF6F46B5DAC47D9D3F7B9357D745863675BFDC21D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.359{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3636E3498315D2374A7A9F0D681B9F6B,SHA256=74DD84F5F864294C7D0E78DF6ECBFEAD24A3BAB7CABFE235E2BB5832E3EC157E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.140{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:54.141{8D4DD44E-CF0E-616F-A102-000000000502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:51.703{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50546-false10.0.1.12-8000- 10341000x8000000000000000102907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.500{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.501{8D4DD44E-CF0F-616F-A202-000000000502}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.156{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9F7B36FD4A5F527107D64FECA0A8D9,SHA256=98A271F97F7325FA5B50269261B5C8F3BE085E6B0B31D06B7DC9C15466EF7C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:55.381{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3F754DC72B612725903D18E8569E21,SHA256=5F0D2D246F3E1B2B8BAADC454F2594686A8E2ED78734C44A7646D8EEF1B7A21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.140{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803F1062A5DA08667D66BBD9AD019495,SHA256=BE356759B3A04223AD618082DA824F979E4AC550B2C87A11B280E4BE23C3AED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:56.386{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA10A276271745EE0E98201FE920AC88,SHA256=BF5DE92F3AC81B6749238F57726BB4F26C1065B269CD2E4845244CED8D32DDF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:56.567{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED1721B6C163F78BE1A74B5AD9670C0,SHA256=88A980185355F19CF68174870D3553CABE8688258FC312634167C9129A119379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:56.207{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C543A70FDE257DE258F61601EDB474,SHA256=B5BCE0BF19CEAC5ED3B96CC2EC1A1F6AEDF4A2ADA67C677FA2F1E714F311FD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:57.402{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC5E609F00CB0DF8FF2BF06B689BF96,SHA256=B32E915A6A51286F0F0F046421DABE70AED3B06B533A5573739469DAA93C24C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:55.709{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56034-false10.0.1.12-8000- 23542300x8000000000000000102910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:57.207{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5038C4C0CD5977A37B4DB00354ECDC,SHA256=0185DD87DACCCC99C7D794FA4DEA21D85B9197C0B03FD7F1613831ED3BC77083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:58.417{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3305E05DD377D8FE924E6D68FC3423B7,SHA256=551ADC44F69213DBB743AC9122135EF1B6EAF323BE905740815D575CA6A2377F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:58.208{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E492451621354060BF239A573B38C38,SHA256=2A6609DCCC92647E3D84E092C6BB56B8FA57B9369D587E4E994AE90076D66A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:10:59.223{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3AE907C66E4401347FD369C7A4E84B,SHA256=C9721F4CEF98BEF1652F07664B5D7919190341C32A60947BF0C2B8065EB5D30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:59.433{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0969158E8E071833057A3E2FB11647,SHA256=EB1EE84BFBFF00E51C1E1E2D151DC0E4A42B66BA6D7D80C81FE3A89E66AF88FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:00.254{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA2E40C5658828C95B8A0C671A24E36,SHA256=87F31C1F637F3B95D6D1C8645257EF473B3E1BA8B15A34915298AD99345C12C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:00.449{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE3286FB24B918FDBBBBEC450BA76A7,SHA256=3F8CAFF3C823292E83489F95F3FB6977D3C3FED3602CFF066CB942D219F82E24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:10:57.677{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50547-false10.0.1.12-8000- 23542300x800000000000000084110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:01.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241D1656BFF33FDA06A3076DFFE9652,SHA256=7D74C4FF432D60764A8AA94FBD041312EF003438D6AAF81C3468CA1B1CC65265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:01.286{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B265110EA7642901A5313B67E63F4FB,SHA256=88A70D7CA6DD76A5177A15FA64A3F233582B37EBBF75FF95B4AD4594C52C194C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:01.114{8D4DD44E-BF3B-616F-0D00-000000000502}9003292C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8801-000000000502}220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:02.480{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23060E85A2FF302A3B395A668F604981,SHA256=26A44FC8D0270FE43A8BC3DAFE92FD6324D0346514D53B9AAB76ED616377F623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:02.364{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C513D8C5F361275DEF55EDA8D858A3B,SHA256=A7F9653390C9B29253FEA4D2D1888A84701A42A7216D0D29BC37D12F0B38C8F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:01.694{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56035-false10.0.1.12-8000- 23542300x8000000000000000102918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:03.379{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DBB8182DA2C0366BEC5BD521AA1D8,SHA256=079DA38FD130DDB685F805A349E59F94FA9924613A8FD45F2F5BB8C8E51AA7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:03.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE9985D7F132B8DE8577D1C11D4237F,SHA256=58F43CC28E66F3C223407B4A8A65ACA970A4467389F89B051ADD6290370D1AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:04.379{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E844553298E7939E63CA1DBDBA494C,SHA256=A5D71F089DF49C3B07D46C2294FD647E5510CCE115B0FBEC5B5BDAECB7943B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:04.531{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-065MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:04.497{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41AD8B5A2C219466D041B8AC0C77728,SHA256=23FAB908B20D3B070FCCE1EFA238B7FED3DB217D300B16B7CBC1377D9857B667,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:03.648{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50548-false10.0.1.12-8000- 23542300x800000000000000084116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:05.530{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:05.498{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BE42DAA137174A9848E79C97D89A1F,SHA256=70BADD696128D3C19F436D9FED180FEA14FFDA12F11602C6E1490AED13EBA243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:05.379{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A483CC87311B22057FB34F6E472533,SHA256=E37C96413EFA23591DCD4DDBD12FF2C581CB2EDCA820A1CA301DF5E796ED16AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:06.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDCC00BA94A5958FA11315E126C85CE,SHA256=057424FC209C2C8D44B3BF9213CA73C18166CAF2A92323C5B1833ADD9A58DEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:06.395{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1170B641D0AB19FD82FDB744696A3BD7,SHA256=D7BF04BD2B1FDD69D4B25EFCEA3B6B0F06D399A265F0A57CA177EB8DEF73C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:07.567{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB94E83F00BE73549F6E2077963B2A59,SHA256=01F329E5E7CE116EA917B6002733002B7030F1CA95C66A6A354A2B13154E7360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:07.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327D94EDD1997D60E37A76E58902163D,SHA256=513E0B17EF51675BFD9C996197A4A816FCD4CE55BE7F3F00E1CAC1190580B4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:08.786{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2BB4B7C0E20672D1631AA26C7563D4,SHA256=1529738B5735E9F33553A982BAA3F1D53FB56EB3FB768AD8474437E822605007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:08.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68766509E20D29F8CDF614220F9BD4C5,SHA256=21454780439E703EE4619725D3FBDC124509ADCBFFDB6911D6B634B5D90A0ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:07.538{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56036-false10.0.1.12-8000- 23542300x8000000000000000102925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:09.833{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9223B83061F5C102FD144BA825F9364B,SHA256=87EFBDA9860E19308A6C921AEC0C1FF2337E0B2BB068511E5D9AF4CC327CE329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:09.586{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:09.539{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F25B3E7A20C6D204FF6BC2C85BD92A4,SHA256=F7621AFE3A1AB00609A9CDD01C84644AA352152A4C58A5EB32FA90630B153DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:10.833{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7800BCC72782FCE3AC6A9C0843FCBCC0,SHA256=5019A0D43957A155E9E051761EEB3CE1098E00A37FE5CCEC4CD183A189FC3BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:10.554{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795207A8F079636C898B4CD04DC42BF4,SHA256=6F199C83B05AAA14036AD18C332EEDCFA215BB8C5CCEE006732C80CE818A6603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:11.879{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5627F552AFF0F8DB674C3A3145151BE7,SHA256=66EEECD2095BDFB613F958F856545F7520071198006E6F38A7006B561B0B418D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:09.127{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50550-false10.0.1.12-8089- 354300x800000000000000084125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:08.658{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50549-false10.0.1.12-8000- 23542300x800000000000000084124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:11.570{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93052F4D26244B82325D8CE57F2E3D56,SHA256=F1C6320644D5823ACB406DAD47DDB8D5A0A9A93193C56FEAA5B92B63F485D29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:12.911{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B097DF4A3700B026C70E16C40ADF9CC3,SHA256=8ABE822292D46B3AF4C8DDABD1412106C97D915A40D7EB0FA2504EFC3588F767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:12.585{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98802D696E82077F36139691BFD2DD3,SHA256=88029A37DC26025FB433B676143A704EBCC47AD4943D7F9449C25C6C814FD7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:13.926{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB61FA9DF7AF2085EE1E3A90099FC72,SHA256=A9469916F5A4A9CED37DAA50A1B553098094F38F758A56ADDC7EF1AD842FCE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:13.601{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579BCF44B779D0CF7016BE9F389EC497,SHA256=1898056A503D6942E46872F4BD767E2B0025FFE257D008C75565EA7FB0D51D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:14.973{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192C1CFABC2392808EB99596D20A314F,SHA256=4A84B8A04D80858EBF8831A369EE140D4DEC478CB6879CE1E047AF6659136466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:14.617{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E496763256C4EC62EE0A7BA16096675,SHA256=6D2AB695CA774A46F515940960F7F698F792FC306F47671B2554E3956E267DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:15.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B01E17D81CB4DA269C7E9656188965,SHA256=E5AFABD4C9E7DA5CE5B3AA8D825E8B5D3A56A19E22610F519BA78194D0FC144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:15.632{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C9DD997EECF20F1193546574F0588F,SHA256=F0FC83A09D008778C38B1DE63F67D769AD625E609B20A2280B6B44C409A42611,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:12.600{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56037-false10.0.1.12-8000- 23542300x8000000000000000102934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:16.974{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D4541B87D3CF27518AA28A3DFA97A2,SHA256=9BBD19042BAE6BEC5462C4712C98D234EC64DAA3719BC15DE28C746F5AD7BFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:16.637{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB288C87A7D1CE621F17C9B2B5E4224A,SHA256=07C1F00223B8EEBF1A0CBB95C2F4901C0D645D1000E84E9662869E7B0712BFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.990{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBE893AA37381A1FEBA913F21D68AB8,SHA256=6C0F851A2B0BFDA43F4B181A365963439FDE73BDEBE14056872C39C8B88C4649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:17.653{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAD7B40C279AB21BED1B729AB4632D5,SHA256=4B3881905E720933FF1807323771829E718E593193228C148B6687FC25D80892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.365{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000084132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:14.627{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50551-false10.0.1.12-8000- 23542300x800000000000000084134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:18.668{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEA586A65E898ECF522F5F4A8DE4034,SHA256=97A90AB1FCFE9A23700ECC2C69FC2AAAA939A9136D82C02491DAF27B21244557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:19.684{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CD511EBE929150DD59814AB2219724,SHA256=0BE8904210FADB7FB14877F519A0B7D305952FD21C31253C3C7D61788B34AE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:19.099{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-065MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:19.099{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01590C0A9645C9BB6A7850CC20943AF3,SHA256=02636B6196469F18B325015ECF02904E81DA440DE2E203A4C88A2833F536D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:20.700{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A71CF3AF1398F70256B6B0007FCD7A,SHA256=1AB70E826BE51CF202A393C4316B830EAFCCD4A08F7E963C701119BD5E4F592F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:20.106{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8783E1D257183F841C32042C3A2D31D5,SHA256=B901724DF929B420FF7A3696647AEC9F58F90F63BBA63319A0643EB639B5D596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:20.100{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:17.711{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56038-false10.0.1.12-8000- 23542300x800000000000000084137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:21.715{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA04188C92B22CFB9742BF59DB8E19E8,SHA256=EC5B18C765BE376F344F16BE67DB4CE8AA95D5F2D72742C7FD2E777011F6D1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:21.163{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188401B455B74A742890B6A45B949A84,SHA256=61946D0F7510D397B9F806D75D49EDED54E0C04984E389C4748EED3ABA717748,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:20.631{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50552-false10.0.1.12-8000- 23542300x800000000000000084138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:22.717{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B553A407386F4C87848D20B4CB87A94,SHA256=DDF2CB5CC45609EB9364D2A222396E1D6EBED6299E42813FDD657CE43724016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:22.178{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC3B5BCE271128734C3E0FEA7B61CEA,SHA256=EA149508DEE89B526BB32FA8981B640F38FD3F6CCA1B7782CF6C16F689A0B18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:23.731{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B495B9A832061C0BBB6916251745070,SHA256=DE60DE5126C8B2A9BA482A84662369EB4C3EDB39F990EDE0855D1AFDC600736F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:23.225{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144E1DD74D89268FA5243DFE73A97B8A,SHA256=3EFF26B8CFAD04A51931805D53E15E10A9CF41014F862529CA389A225BC08005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:23.090{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=199DD9D76F36F36B444A2A742FD5C7ED,SHA256=1E94E7A21509764645A7B168D127FC20B41402513BECFAB93FEEE2FCC74E8FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:24.746{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FD2201B656E531EAE5D7A285B68D06,SHA256=2B9B418C13E69A5EBE289766785926C94017634116D19A248D45C55C945BE28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:24.256{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75865F53790410CDD31C8DDD5F8D8670,SHA256=46487BBCC86C4465404B1E41A4958AD7102F35818D2ED3101CBC281DE662666E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:25.762{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79A9DD1717C8DECD82FB792C7740985,SHA256=094AA524A233E2392693A4B9410B59080B71D04200F9E648E649FE9BC27CAE96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:25.256{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8F90802B88D33648CE76A65DFA92F5,SHA256=7646B1009A8D2B1D66D6BFE8ACE033A567E2545F5340AE6C140B74EAC6444C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:25.194{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:25.131{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6E2E2AA3C106F3FD3B267B8DB013A287,SHA256=9B468D5FA4DDF5C73A5F80AF5BF6BEAEADEB1108558A6B2AAA8B91FAA0269176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:26.778{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779B8B52E3F798E12C70AC87B5568DC6,SHA256=D99916F7B273F6E450DCEC922A6AEBD797AC7BF87A1CD074060E8028C352F70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:26.288{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA987C96A9DEFA00D974E6FDBB010BA1,SHA256=7FD413FDD74589E309CEE138A858251A7914D811D08B7FEB14DA4A0ECEDF95A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:23.618{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56039-false10.0.1.12-8000- 23542300x800000000000000084145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:27.793{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088019F8CE6F27767A19A39BBCE14845,SHA256=39A7F31FE1F8B9B9D47DB3B876BE517E2C60F28591DF1E0342E6A765F79D5B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:27.303{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5381EAB9F53375F393573F95C65B4260,SHA256=C35D54C9C6A98D60EF64E4A0D4152BE48170CDBA314829FB680FF4738C41F1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:24.665{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56040-false10.0.1.12-8089- 23542300x800000000000000084146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:28.809{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C6FFDF9A3E7FC64235C086390984E6,SHA256=E6E706B6DF73467E710B069533A0B5727D4B8C3A29D7D53ACF07E82097CE224F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:28.303{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF759A634FEDC4B01F07D72CF9D007D,SHA256=A0AF49C1B245225A53DF8CC2FEC813BF96F917FF550936ADC20E28F311856AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:29.824{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8229E4F0A3CC8DAE5C4361297CF2D535,SHA256=A6CA7C887333F1BEDB0B1266D051B4D4425B9C868EB0234F7CD2461E49916C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:29.335{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FD6829E9BA4CCAF9E79E0BAA1F2D5A,SHA256=B774015AEE3B4603F3407C38421979C31F13147EF18A7E2B2A6021834A1160FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:30.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA333AB0755C24B88449A0F2771065,SHA256=1010EC74E6C0638C185EEC20795C6EC1E10B23175298837E4F893430CE14EF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:30.350{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D56DD38931B0F55F4C8B6D5E6130DB,SHA256=6A64EC9F9AC1EC5949124527DE40DE5FBA5227812AF0140EA38091A353EA6B2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:26.693{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50553-false10.0.1.12-8000- 23542300x800000000000000084150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:31.856{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1458D9DE731566BA9C9E5A2DC1CEDD19,SHA256=D168238C87262C69768B212318420B11F0E72EDA8784B24F3FBE99BB9250FD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:31.366{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1809FA2F0208A57F4D25230431CF42,SHA256=1B9C1F7FE813FA7B7EFE502490FAAC89F0F0FEA674A3D3D0616FEA1556EF7E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:32.871{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDD4AE0E444791FFDB73C75DF2F2EA9,SHA256=D50B8FDADCC98A8D8CE889C65E4C51FA731A9563BD820BAC8C3F69D43ED90358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:32.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E02CBDD6AB5FFB3B96B7C1A718080E,SHA256=5A1C03424A7D4FD1B6EF3BABBE401F14D14479DA1A66BCAA10228093C1925247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:29.587{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56041-false10.0.1.12-8000- 23542300x800000000000000084165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.887{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C183DB8E112A4EF32578D8AD3549A09,SHA256=F77EE55429FA0C670FFB314692A0B1C17C29BA656B99B3E875F08E845D497CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:33.444{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153E8A5DCBB75987F5E9EF4DC26FE3A8,SHA256=658BCACEFE384106DF0CADEF52177848F7BBB22D04E7C2F6DC459E1451266083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.277{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:33.278{6F8252D3-CF35-616F-7302-000000000602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.887{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2F4E6A150DAA98E35D191A65FDAD0B,SHA256=2214E1756081E5EDF8F7C5187373EE51E6D8B4FE53C18F474876B2A079C90F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:34.459{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4DC65958CCC00494CA08E0684E8483,SHA256=EBFC63B5F3C41C4B941884DC809BAECAD86AD40C72C044894DC7E34063193DF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.762{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.763{6F8252D3-CF36-616F-7402-000000000602}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:32.678{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50554-false10.0.1.12-8000- 23542300x800000000000000084167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.278{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE602911E5E5604F662C699B7B4AA6E,SHA256=C3A304F3BC5B71CA775660500ECB20B436ADA08BC302C3B6F19482959E69D429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:34.278{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23F5BE5EDBE8297BD9ECFC8C4FE3D4A,SHA256=FE6CE6E2C7C6B625EE0F8F95F782295C781C56270D853AC5AC860CD7968F001C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.911{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96792339CF40DC2F6F2E3594C6392B56,SHA256=B9977E169E30183C1FC34118FA64B624F3C32F2D179BC217A7C4B9387CD2652F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:35.475{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E4F70288126B2DA9E14CDF2150F396,SHA256=9948E7A8E0E98E1DD8E196C03A08AB796326333B512124A5C80EC832AC411FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.895{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE602911E5E5604F662C699B7B4AA6E,SHA256=C3A304F3BC5B71CA775660500ECB20B436ADA08BC302C3B6F19482959E69D429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.496{6F8252D3-CF37-616F-7502-000000000602}3036404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.262{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:35.263{6F8252D3-CF37-616F-7502-000000000602}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.973{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.974{6F8252D3-CF38-616F-7602-000000000602}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:36.942{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FB3023B0C22641716581582D3A19F6,SHA256=05296AAB71ED22AFD81078DFA13D4033045F98009EFCEB03968012D419078125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:36.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D805E00C9A8A9BF2B8EDD226E478C54,SHA256=89197E8160E5B171B95678D09A5D406054F2B96140BB0778C01ACDDA5553B831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:37.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B0D52F30FF64FFAF590588A4BA9B34,SHA256=4A4D795E1FE9F76096B931C53A0C2E7D8D4A842CA16AC4DBA25865305FEA74D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.973{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA598D7217720458078F854245512268,SHA256=9936167869651568B4DB1563F72E623982AFE45A83AF623A20972D11A61B8BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.848{6F8252D3-CF39-616F-7702-000000000602}31803432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.645{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.646{6F8252D3-CF39-616F-7702-000000000602}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:37.161{6F8252D3-CF38-616F-7602-000000000602}32322360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:34.743{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56042-false10.0.1.12-8000- 23542300x8000000000000000102993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:38.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88A380F1BB8CE6CF3D9D5268C5495F6,SHA256=9569E9A6D458BE5778BCD1DEC59C1292B7C96F17B582BFC7B84603B3805A4011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.333{6F8252D3-CF3A-616F-7802-000000000602}2844836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.164{6F8252D3-CF3A-616F-7802-000000000602}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.161{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60582AC2DAB3D3D994E140D3F27A748,SHA256=A7EBDC5ACFDFDB8E81DABA1C68B48FF7EE86463287FC757613F1F588C398DD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:39.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C23310F5DB2702153EE8F41BCBC6A4,SHA256=F4EC6054AAC6B893E86A156F1459076888B25752A09055211B2434830C0DF702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.614{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.615{6F8252D3-CF3B-616F-7902-000000000602}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.317{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F81E67CEBA441C0ED982D09AEBF8952D,SHA256=E225775EB9471ABA4591FC90E97D527C8EF6DED88B6FD197465CAECBF6C5E367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:39.176{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108FB99BD80D57FD8FC150E7191E2231,SHA256=0C20810C25E364B5AE21FDD479C342113BAAD2901B1818D556CF235D0B5451A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:40.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8DCCF5D5366DA505755A28003A6150,SHA256=B1BBCC4D3F332339118D7FAC34931CBD474C147D5637D46CA884084B00204879,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:38.701{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50555-false10.0.1.12-8000- 23542300x800000000000000084260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:40.848{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F292C4F1470AFE847E9897507A85D3B,SHA256=C8CEC3E393CD5368D8602B74C08ABC54129C0A54EE607CFA5F9EAF06A0628DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:40.208{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6724207FFF98973AB0002A24FB26211,SHA256=8C351DD0472871628DD83FFD29C504667E5938018411249780CAD32170B0C43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:41.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7017A40D4EE7113F4E5876247E6836B,SHA256=CBF8DE7A01A142D6314E95D2C131B903E76D26A7B884252435ADDF259F778D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:41.239{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5C08FF169637ED4563E86D1A264CE3,SHA256=FFA1D3593275B8B8E0413ACDCEC9D2B4B4252B472EF5D33502481B1F28EFE70B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:40.579{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56043-false10.0.1.12-8000- 23542300x8000000000000000102997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:42.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03736A453356771FC8F7B8041E96C63,SHA256=DFC88AC88A18148315A3C063DB8C27F68C9492CD8148F6F6B086D011E556A6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:42.270{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9421FC8A8AEF236300F245286A7EEF,SHA256=B1D0F96DF50289E8840A6662A1DA34AF6B661CAB645CE1780B05C405A5C6B5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:43.576{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E968398C6BC494FA1E9A4F39AE37D300,SHA256=621F9D4E90759CAE5D12DF818434B6FECD523622CC3BC08D20B6A7131BE10D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:43.348{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BE9FE1B75B70CB596614F6467E5A32,SHA256=C687A351C69BD6C7C9825BD8BD6F54B150BE19373ED262CA86ED005BD8ACF45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:44.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3CCDB7EF834D070B724E2A6AB95D5A,SHA256=6BC9C7BD9948EEA3586B82945C86098117C8244A3C295EF608C8885BF738A37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:44.395{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75233B884C5061DF2399995F13F6D7A,SHA256=A43C4740DE39C2BD8523DB5D75967FD2F9453FFDF884D31C15491E0807D1A7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:45.582{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF540F98244A982DC6ACFEB231BD4073,SHA256=A156AFC308753A8823849B7362B964A59CF36ADEA6D3E1228376581ACC27F4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:45.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1193BFCD42D8BB28F92408609CB40FF9,SHA256=D54300B3EE4E89383C8F0B7B937ACE8D89A0F01EA7892ECE849E24D9788B6F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:46.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA1CB144EAF0A42B9D1599DD2868E74,SHA256=E95384F79B543200E42207777DAF33CFFB2EA1E60DB30415A08F5969985780F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:46.614{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF1BB277B98D607365F54F2B16015FF,SHA256=CD61D583EB18AFF8430168CA50DFEC49F6E30D489D9034AB07AE6ED3F57FB13D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:43.733{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50556-false10.0.1.12-8000- 23542300x8000000000000000103003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:47.685{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE5A38C56E1C3E1DC9BC8D8435E3E85,SHA256=8AA8607F0D47129C620FEA95DEF0C1874874685CE334CE1D3BDC17C8B242058E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:47.645{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8312CAAE3AB9C6C28EBC2326D06FBB,SHA256=0632A32489D0E5FCE2C45D31700724F44E94CB5965CE5A3712628E7FAE1975D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:48.685{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6048B94BA2B12321364B79B82AD2EBEF,SHA256=2030FA3ADA392B716FE3F7BBE3FB30C70DA53BEC81481271E30205AAD38C3423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:48.645{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA143743838FB7F50DDC9F49F6669B78,SHA256=42813065B5CA6CA319196BFD25FE11A119EB748F340C53C0E1115075C12F4330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:49.785{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E900F0DAAD8B7FC1419ABEA6E2D3704,SHA256=F3A43A8AD15870BA4FDE19FF0AF0C052D0C125669E88DD3F6C2A72F5DEAEF7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.810{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.811{8D4DD44E-CF45-616F-A302-000000000502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:49.685{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51ACB023593F2184324C719F647F55B,SHA256=399A950D125D97E5119FFA1ADF8DB91FEEE5906ADBC816EB59E203077375273B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:45.704{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56044-false10.0.1.12-8000- 23542300x8000000000000000103036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.810{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5495941CBA3A88742556F262B47ED664,SHA256=D5942F452F066CD3D386F783CEDDB311349C4DFD2344A4B81F4ECE15BF1F4491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.810{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30AA41B3A3A67775DF5229063E995DFA,SHA256=EB558F22E4099F7B7310FA90CD63D5A464BC812643BA57DDDE64756D59A6B5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.810{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DC45C8D9EABF62DEA3F1B37B6ED6C3,SHA256=0581E8FC767A07F291D7096831A76116606F3A69087C06E2173CCDCEED14B19B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.482{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.483{8D4DD44E-CF46-616F-A402-000000000502}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.013{8D4DD44E-CF45-616F-A302-000000000502}18842172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.154{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.155{8D4DD44E-CF47-616F-A502-000000000502}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:51.020{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95249FDC64958698E5FAE0F1085E82C0,SHA256=DC3CD774FABA1A060A654974030410A7CC81D6906452C39706809CA72ED42BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:49.732{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50557-false10.0.1.12-8000- 23542300x800000000000000084273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:52.051{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E11960612D9941F8DD2A4311975B278,SHA256=3F6E4C34B90C1553CAD0EDB5C83131EDACBEE9CC2FC641549D5E626B6B89B128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.967{8D4DD44E-CF48-616F-A602-000000000502}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.045{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCAA5F242D9C3C8D53DEBDA4CE92C2B,SHA256=90C53C4DC30620CB82CDB2A45944B7BFBC5A169322A715C3213C1E4094CBADD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:52.029{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5495941CBA3A88742556F262B47ED664,SHA256=D5942F452F066CD3D386F783CEDDB311349C4DFD2344A4B81F4ECE15BF1F4491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:53.067{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723ED8CD3EA0C0E5526EE93214DA4662,SHA256=41B99BADDC528BD948928DEA42A52C1EBE92611F3A4AD122BB83326B93685E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.795{8D4DD44E-CF49-616F-A702-000000000502}3323804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.638{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.639{8D4DD44E-CF49-616F-A702-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.154{8D4DD44E-CF48-616F-A602-000000000502}13643016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000103067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.454{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56045-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000103066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:50.454{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56045-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000103065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:53.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19788D004C41862771D78669835834D9,SHA256=01638B6D654E50656ABAA938E697BFC3DFDB40137440837B3BAAEE5B9A6E926B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:54.082{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD37C4398A5C9AB7181521E5BBC5C07,SHA256=AA257842C0083B0CE8538BF2165A695199457276AC057816EFC08960C90BE089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.404{8D4DD44E-CF4A-616F-A802-000000000502}3764680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.248{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.250{8D4DD44E-CF4A-616F-A802-000000000502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:51.641{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56046-false10.0.1.12-8000- 23542300x8000000000000000103084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.123{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A374D5F2F59C17CBED1A9AA7D3D13E2,SHA256=F4C3848BB9F4C221DCDF20BD5F1E61601F79048CABF258AFC9D336290E7BD431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:54.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BB83D83C710B6C2AC39E3EE960FEA6,SHA256=613A244162DDBBF24AFAC045E0B7F88C0EA8C69F9BDD5D73E3B8ADDA3ED10B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.388{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.390{8D4DD44E-CF4B-616F-A902-000000000502}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.248{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16EF1BEB596CA03EAB03B1CC9626975,SHA256=3B042EEADBA6CCA875DE1C1B61E1C6151FBB0C60125C4C889AB61670E3B9EC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:55.060{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5065D35F6900AEF6ACBB67BBA51BB7D4,SHA256=45F309574EADCE05B8B86B931A67D20D4B9A947515B5A2351F3828350E4F520E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:55.160{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524BD9C6313F8B48083BCBC1C95BD32F,SHA256=4FA879C7EB37864D6908D57AC39F179D28D70A615317371F7208E51895632086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:56.165{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9C3E69D39A1FB9385B50D4FFBB9685,SHA256=2404102006CF683FBBB6541E13F44658C12903F3D990EE67388D39C8FD647086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:56.408{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E739D319B85A93D57777AE3536DE2C,SHA256=8970788E70B7E34C00B3E3EF954B8CE25B099D824D6D5A10C651C126CCC2E01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:56.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B764E00DD58EDC4C74A9108435AB5C,SHA256=A516BAF0818266F6B62AA9FC9B20FBA7AD6C4DB2BB83011659BAE0BE5503F6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:57.165{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C680BAFB017E4244E8C14CE36111FADA,SHA256=5545A462A3A2C18634AE17147C307DF0D593849222CB3D1E94BEF2F5A9F97546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:57.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB65FBC249C22941A25F45BE64CDA81,SHA256=117FB8B5CF02852B4BB05E3BCB1F624E6BBEBD1FA16C84EE56F25E1D3249EF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:58.181{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076CBB800F29EE96AC83B44209AB885F,SHA256=5C5E3B5EA6ACE420ED8D81C66ABF5266C0F2A8F1CAE9FE322ECE1D8F8013690E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:58.080{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90F74FC07C44B069747A26F9FBD8973,SHA256=34C27662A1108491C5367F88FE8799797C816E581E3904EC1641AD00C7905820,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:55.721{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50558-false10.0.1.12-8000- 354300x8000000000000000103120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:56.677{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56047-false10.0.1.12-8000- 23542300x8000000000000000103119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:11:59.095{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFA845AECBC906C98C5F7CAA21563E7,SHA256=DD3D085729DCA2D275553F04A6E0F355E7FA88D3D0ED6661565BACAC1A383078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:11:59.181{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15382882E09C20DA36D17B77C9687DEA,SHA256=B456ECDE61C96CA8293CDD2A7C271663BD1C82B24139B948DBD1E1F469783FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:00.196{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C966F28686B0A21B386151424B34FADE,SHA256=F58038331994368318BDF46B8FF63E0424FAE1E7FBF308CB6742CBC24A0619C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:00.189{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9395D9054F0A84FEF96F0D54884A24C,SHA256=0D8FBF44DDE9B5735A330844E149D17D0A4421054C4E54B8B03C0F2EAC603045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:01.430{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CA24BE14946BA0A90F07CD891D7266,SHA256=6FBFADF9EFAB9F0ACA7A8006A7863D98A198585B6E26FA907E9E24DBFB116346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:01.205{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8689FBE385A959633E5F9FAD67419AE0,SHA256=EE4F045829CA3DFA07D4C77B283868EBCEBDC6734F83A80DD7DC532CC2D5F620,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:00.768{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50559-false10.0.1.12-8000- 23542300x800000000000000084285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:02.461{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61F454A9664909715DB4CE8DFC0FB0E,SHA256=78EBCACF8D2854533A75831C9F14EBF39571F596A76547ADDC7DA561A2657720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:02.205{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3AA2C4F474A7A4C440C908F5761144,SHA256=0A8D8A2051BC2D75D204CF4F668DF375116AF045B3C772465DA5519A0F61F036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:03.571{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932BC11083E0889B1153AA6EBCF40B3,SHA256=C29DD9DDE477A3A06D7741553700A371962D0DCD86910880735C418A8CB53C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:03.314{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0709F0E7418521A229548DE4644B61B2,SHA256=C3B4FA34EADDCA85AE2202DA2D9CCFDFCC5F77D2A90A2C0B26461CC68ABCC695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:04.618{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3207F223524800CD6F5E7C785162DF,SHA256=7B51320A34A670DE38461443A12AEB686B200568563EC83D9083F6E82407E2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:04.345{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4134D6156E4AD640FB4718DB54279B,SHA256=FF9E6F9FC3A12B62C7039F1ED5C49EF2C94FE300D390437EE8C46EBDCB18F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:05.635{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044715B3157B26C228D844BAAAF6C3C9,SHA256=83D1D3448E38F71878F8A410A17FB2DB27ABA105386419261CBE2B19113E3BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:05.377{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A778353E0E5F0C6A7940120DCD43DB,SHA256=698FC0E2B2C74A50C8D6FD9DF46AC58AA2614F09992B81D9F391EE920A8C0D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:02.536{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56048-false10.0.1.12-8000- 23542300x800000000000000084292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.855{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F636E0C81189927C474D5AD14E6346,SHA256=D40B9F74145221EB71C7CA924718604D3FFD0A80177B8D99861D97F9E53A972E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:06.392{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330EC92A24D8247EF1583BC1A0364249,SHA256=9081A0AACA3F9E4FE1F7DBAAA99F8AAC053DD8FC87B923A41667E4CE67DE48BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:05.137{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-470.attackrange.local3389ms-wbt-serverfalse146.88.240.4www.arbor-observatory.com59195- 23542300x800000000000000084290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.044{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-066MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:07.871{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A24B59638B7AB4776976C570962263F,SHA256=75D7D0EE2706174DA1C340B113F7F03A9752D8800EEF63EEC3F0FA985C4710F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:07.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B513DC8D0F235D3A31537A182362689,SHA256=41A4FDC587EAD7B7281ED9EA02CC890BC351184AABA0161AC0DF61FDFDE9B46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:07.044{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:06.227{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15-49467- 23542300x8000000000000000103130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:08.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BACBDE3ADDC522EB11D72F34F965C9,SHA256=924A88BB27DE52FC5078AFEA5870C145B724FD18DC8BB483C37080B27E6AFF2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.196{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-470.attackrange.local49467-false10.0.1.14-53domain 354300x800000000000000084295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.193{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8b0:1728:c90:ffff-49467-truea00:10e:0:0:0:0:0:0-53domain 354300x8000000000000000103133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:07.708{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56049-false10.0.1.12-8000- 23542300x8000000000000000103132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:09.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B936D61B32FAD5AC4628FBDE203F0326,SHA256=DC318D68073B12F2C5BE8E0F557EC18C43147AB51ACEEEA7F67BC8F6D57D5F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:09.605{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:09.058{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6A76E439D3BE60A3BFE579F641E961,SHA256=32C985516976AD73EC98CCAE95755F8CCB331EB7EEC5C6893C77A01807454016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:10.215{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504ACD1CB1AEC9467D44A7A19EB7C2D5,SHA256=696620FDD733CCBB1B6629B6C5D1B4404DE9B72884B83C3148B0FFB8C6BA3353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:10.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF197B5D34446242DA79A6C0F2B990B3,SHA256=AC55BEED51534904C29DBDCED8E30EC8B8B5185FEFC78E55F0C0F74AF83B6862,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:06.785{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50560-false10.0.1.12-8000- 23542300x800000000000000084302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:11.262{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D373A3B4F35C00FBF166353F156230,SHA256=68264A9452DAB94F6AEB0AC52D41230B3DAF9759B648BFCA5215F73AE4EA0504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:11.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5FC1105AB39256E707BD6523397A8D,SHA256=5194696130AB3C1AC382C57F4DC65C94BFB8540AB6CDC2A8283D27E92B6FEDC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:09.147{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50561-false10.0.1.12-8089- 23542300x8000000000000000103136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:12.470{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7AA2302606D42450D40167497894E1,SHA256=B77283DD8B06F67B2913C51137F39BD950B48F7E071A099E2372A0072A1139A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:12.355{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B1CA97335FF5ADE59B62304D71C2B8,SHA256=A35CFDFCB7270129CC444DC1C4D3B56CB53942AE1DD62BA22C808FDC9F0584F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:13.471{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB8B455E7A8719A74D90D7BFAC949A2,SHA256=5EB3D3A54DE686D6C7C927D0BBBFFBB40DC647E1490AB97DF67241CA19B0BF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:13.371{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F08D941AA7D05A0D36F9BC23800E4E,SHA256=8669BA920CEC4720025C22D4013A3831F1FE47F02D6169F5CCCC396B182D588E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:14.689{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2163C291A206AD72DE8B040A7F5E7B7E,SHA256=F0E9EBE337D5A1203EEB0ABA44C57E5BEACFF599E660948FCA87E176ABBBA563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:14.386{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2E655C56641FD743449A5A5B01F130,SHA256=5A4BE7E3B0C1AB85C1C12CA19468361ADC618828254551D2DCDAC0E7C0B318E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:12.787{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50562-false10.0.1.12-8000- 23542300x800000000000000084306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:15.402{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757184EA0E63680976DF42F01D1844DC,SHA256=D7C806BC57FB1F8E2B31790D8A3BC719C43C013DBC14FD99AA6F88EEBDB70C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:15.705{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3A1042F01ADC0F0977129805E3C99,SHA256=061BADD9A182D43756E1395D62A1538418AAC602B591F1B6E7BB744E5C397F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:13.552{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56050-false10.0.1.12-8000- 23542300x800000000000000084308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:16.417{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191570FA8924379DA081B61039B4548F,SHA256=1111ED3E79FB14407C034F92DBADE4ADD74B7F89D81FCF2EC87F37B6B421814B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:16.706{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18112EB5587AEF5D8531A313414B90C4,SHA256=9AC4A1FDE00F2EEB95CED7AEB1B936E2AE49042E91ED3A4AED2B93BBA44ED525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:17.722{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4D2E9C20F0793FBBC17B4D996DBEE1,SHA256=3668A77F6008E4C2DA531CDB2D04C953FDFF842A90F397EAF6E56177BFEC6D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:17.432{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81897E23C02C8A54A44A91ED852E982E,SHA256=CD6892EBA559481BF19ADD4818F87C2F2B8E0F1078028C27E5446C5A508F95F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:18.753{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F39EBAB74844915C837CC379B64F9F6,SHA256=6FF32CD709CAD307EDADAD6D0CAE104AC4F643423444CAA847896717FAABE075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:18.448{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C89A27FD4FFDA834E8C80DA13E25D5F,SHA256=BD41902611F4FCFA0281291CA141B40773508310A95E1DBA7CBEF8992B435FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:19.769{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDED61C728CA8E75541EFB01F9105C2,SHA256=6CF53CB28B0627530D2B05FDD950C1408F196AB487FBCA02B29289B0A09C3A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:19.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916A5CA4BF28C59C0AAC1A6D5548292C,SHA256=8D1816C6E6B6CAB8E6A368D2518A2B9DF47A531410C1FC08B397CE6BAF5FB854,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084313Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:18.739{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50563-false10.0.1.12-8000- 23542300x800000000000000084312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:20.479{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0301CA9310ADDC765D78F037BEA096D5,SHA256=DD64679DF629E63CA6D6CD3BD2BCDA6E933A40ADE995F10CBF52EDB6C47008E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:20.616{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-066MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084314Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:21.495{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B6B070F3EE08830F7858E826EA2504,SHA256=9B33BCDAA799C20CEE5BDFA2491926EDA7D7E0AB0643D8447B0C851F9F32724E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:18.663{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56051-false10.0.1.12-8000- 23542300x8000000000000000103147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:21.630{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:21.004{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA5EEC074654C649A7D6BAC60B58443,SHA256=6BFF04CCF8723574AE1BCC44A4FBE013649600AAEAEA2F3AC2243362F3BC0CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084315Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:22.510{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BFF20F062D325EB65996F5FFE930D2,SHA256=72625155D2359470772584869F135A9195A80F62D5840C3B7A2249E9319989CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:22.019{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFD0646AA49A5FFDE9FE3E9BF574188,SHA256=E9CE04D425B9668304EE8C157A02B5BF04D5F7BC6738872622BA8D12797F61F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084317Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:23.526{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0D2DC4D6166D2D1B9042B1E64FF9D6,SHA256=E41C800EF469C02A9FE8D68316986DF0F243F7DEFC5DCF3B28A74623E3D22948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:23.053{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432310DCFA97494B0FE0AF730680D3A5,SHA256=1B601B1BDAEADB35D0ECBCD4EB61E94D22E5D4C356A8C2FD5BBEE72FC2C0C3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084316Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:23.104{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3E651E1E5867BDD1259C673803B70F88,SHA256=4B79577D8ED88996FC9E8D4CF0BDD89F66ADB8713B56791F4894DC58682B3EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084318Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:24.542{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D4E58FC05F17FC0E6A8DDF73E4865F,SHA256=403CF89503AE585F7095E17E26D90754932070199EB8A7FDBAB5F5CFA25EBD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:24.085{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC05E59920E15F27937ECF04DD0445C3,SHA256=36509A10097D0FA07C0B708A1F0049F86BC819E4DC02F78F0317DE4FE19E6830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084319Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:25.557{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2797F3AA4F26CAEB9E4CE950F69232,SHA256=6E84D5E02986D7E2D71F65191450301776D2926B8BA1FC7425ED641F5D314B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:25.210{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:25.210{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5599FA70A09B21458E3BFD74C2A186,SHA256=2781E65C939DF119D247CE905267996A3772ACD0CEE45B8052A15BBC898CDF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:25.131{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ADA0D3C8B6D621F55DE11A3976351BA0,SHA256=5726E11617AC35432AB34078C7AE9A4ABDCF2802530C631A7943CA57C7AE5E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084320Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:26.573{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9AC094041FD6A152D14FFC17DA92DD,SHA256=7BBB7EE84A34CE0E9200590C1B86763E503458CC4B7E347FA7215319F829F747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:26.303{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD3EF036E8194827EC3A822A214518,SHA256=D9A1CA15488E2113A6F3804DC834BC99CE20F63E6F569D89D90875FB510B16C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084322Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:24.754{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50564-false10.0.1.12-8000- 23542300x800000000000000084321Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:27.588{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1F29441CFB0ED58E0CAD926E65A72A,SHA256=E833BE1ED986C7EDFB131AF7694E86B97ED84D8A81EB8AC26845204CFDB9E352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:27.366{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C9609B8BBFC346AF36482A751A8A67,SHA256=63917E4F664A4F3DEAFAC25CFEA68B45546E5D900A3EB2780F6E8E24A9C51799,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:24.682{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56053-false10.0.1.12-8089- 354300x8000000000000000103156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:24.589{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56052-false10.0.1.12-8000- 23542300x800000000000000084323Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:28.604{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7606AAB96FF98456FCCF2ABFF92BA7B6,SHA256=6EB8EBDAAA11E440A45E274EAE3CFC5A655A4DCDFACDDD0265D3E1DD09510815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:28.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0352AAEE5FFA835DEDFCC650028317,SHA256=6786C600A554A7ABB0AC2B1B94B6DD70B7EBEA7FB66210A434BCD23E53B72212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084324Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:29.620{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CF41AD8AE7A02ED7928F9B7DFC2CCC,SHA256=F5A58D410A28AFFB1A719FBCA743AA58F34D7B648B54F0B7D140A5CA220B1ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:29.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169A26FE93E192E82096BB0BECEE06A1,SHA256=C4E7CF6E47A71590039DC1E66EDE62505D7DE5E147640A2B1A96717A1701F1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084325Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:30.635{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF3774BCFAD8BF62BE6CB1413759053,SHA256=62A294BA3154E5DC092A2EC3057EDD1183DD380C206611E2CE9F66C85FD8313F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:30.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696DEDE8A028265414455F50869F082B,SHA256=132B3CB8B98D0109ED3F85404FABEEA9829CAFA7264BAAF3C885E3E2FEF2CF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084326Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:31.651{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF0E84AC118D6131B99028D441F1633,SHA256=06C5440B48E473CF2484A58D804DCC0A165E0109F19B5418FD0F6594404A2398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:31.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA5650E650617C974E239ECDF1382F,SHA256=5700DAF8449F4E40C410EEB74B7CF44EF7630F4112F937E52E88E43B953D89A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084327Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:32.666{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C57D24ED2F2F73D4FB0DFBE39F9312F,SHA256=478326713B4AFEB0404E1D662C705C10EDB116EDEF0E775B0C9B4C817B325BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:32.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAC8532AF8F4FC68E3695D234B68AC7,SHA256=0596598C1F031FBEA0E2F51554599BFF6F06AF2AD99B0C9DC1A4068536DC51D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:29.729{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56054-false10.0.1.12-8000- 23542300x800000000000000084342Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.682{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2427D2A242D3CEA9885C8CDB7A0A7197,SHA256=CB5B722A81A392CC0ABE3C74BC20ED093F57830F06E3BC3205008F32DF1E8894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:33.428{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9286DADE15D9A7333FE1207F79F24589,SHA256=CED8D2F832340C02511755A434C850FE04547001DA1F1E61E861EC14968778C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084341Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084340Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084339Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084338Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084337Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084336Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084335Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084334Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084333Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084332Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084331Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084330Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084329Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:33.276{6F8252D3-CF71-616F-7A02-000000000602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084328Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:30.801{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50565-false10.0.1.12-8000- 10341000x800000000000000084358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084357Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084356Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084355Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084354Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084353Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084352Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084351Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084350Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084349Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084348Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084347Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.760{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084346Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.761{6F8252D3-CF72-616F-7B02-000000000602}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084345Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.698{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CF5C6B6F937E21F715418741CB5A57,SHA256=D6517B08D198D4127B30EEAB064D6893314F119C612E14072459A1312020CB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:34.429{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0CD55F0A2568537DF0C0FAA1A7C59C,SHA256=E58D6C591D5AB765A3866D235E67F19DC22762063FA98B95DAFE7C346BD4A3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084344Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.494{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6D0AD2F39B4256C617AE280416B42D3,SHA256=4F7DCA1D2B2387C1AC1295A32D896A55C7DA3364AC42DA9DF7BB3554F16A726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084343Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:34.494{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D41CD91A1E84BA080E43A72F3DFAC66,SHA256=367DB1C280FA7B2D7C9467A58ACABE8D501C4505A4A5EE8D67995E34E997BFD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.890{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1180870E6C8DFBDFA4BCBF310325E7,SHA256=97FAE9DC51A8BB72FD27ADB1C90430127E2F0584D14A6582023FBC7C10064A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.890{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6D0AD2F39B4256C617AE280416B42D3,SHA256=4F7DCA1D2B2387C1AC1295A32D896A55C7DA3364AC42DA9DF7BB3554F16A726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:35.444{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7D0BA78B5CC6D84C830B8E78F9D11F,SHA256=33881605310BD3240659132BA347DE952BA2D8A21EFB0CD1CCD21B8BE742F7E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.276{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.277{6F8252D3-CF73-616F-7C02-000000000602}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:35.041{6F8252D3-CF72-616F-7B02-000000000602}33002928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:36.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FDBE6F714C817771A5037ADFE6C33A,SHA256=998D483ADD27D5351602719A185DB08B4E7E63A876561A9E875ECD356D2111CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:37.539{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5712CA443C9F4962D8344ED18487094C,SHA256=1FA3145E7FA64A959A2B1ECDBFFDB70A22AE77E02FF488D228A6A9EF13261B5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.687{6F8252D3-CF75-616F-7E02-000000000602}39642792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.499{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.500{6F8252D3-CF75-616F-7E02-000000000602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.218{6F8252D3-CF75-616F-7D02-000000000602}1324956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.031{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF75AF93C6C83DED35BE18FC80634199,SHA256=44BAA8A5752BBB3258B1F5F49865F25D7B187743DB493D6356B94984A3215212,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.999{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:37.000{6F8252D3-CF75-616F-7D02-000000000602}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:38.540{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAF294D2FB6583BF7BD4B681CDEE3CA,SHA256=4544C83C66574403F2AB2C136E6EE5656A0EDA7EBB109BCD43682D1690DB95E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.374{6F8252D3-CF76-616F-7F02-000000000602}28963592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.234{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5C2B4BDD6670F1E264D81ABFC7DAAF7,SHA256=B0F33B2F6304189AA4DD6FC87BC48664DBEDA8C3CB217E2D5B536A451E203EA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.171{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.172{6F8252D3-CF76-616F-7F02-000000000602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:38.046{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE0D79DA1BD0A85E9649FD8B5BD8070,SHA256=23F5226C6A6F6CA75E6C33C53B31ABD05927E3C3C6363C3B5635238D24DEF7E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:35.590{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56055-false10.0.1.12-8000- 23542300x8000000000000000103172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:39.540{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E603440E2D12933ED0CFCBB0B5F946E6,SHA256=B9809B080CD0D5EB69A05C1678993B0EB0D8C2644FC0D72B5D7F52484327CF9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:36.759{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50566-false10.0.1.12-8000- 10341000x800000000000000084433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.624{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.625{6F8252D3-CF77-616F-8002-000000000602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:39.140{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4901E3A6D104467E22EBE1519EE3DC05,SHA256=2F2BC46D37DFF6BD528A976099CE3C9E0D5B9D6DE0B33BC0CB93467B47F11A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:40.555{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0105187E7C6286F9C8413A041785DF,SHA256=FC89383F8C350787B65244D86167D9B9F7EA45FCF60686654D4907D0D12C5814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:40.734{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDE29C2986E4BE4FBA085A1C834AE5B3,SHA256=1D92E34C16F5D33A68BB43690D2730B67AEAEF2DF1B86137B58DFC63B5CCF78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:40.265{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A661CD2ED32DF2843177800F75B7ABFC,SHA256=64B00E6317B9910A83F03A1FCF893CA0D382115AE6E441F867426F6D640F03CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:41.571{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE6024F680AAB908EF9F7A2DDED4486,SHA256=39D37DD2A7E46D57701773B6E38700F01EB536A350DC911040762CFB12837074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:41.281{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86A1AF99103DE41F8470F99801DDD60,SHA256=FF7A0EE57D1987000FC663233BB799AE0286B12ACFB7E2F08B934ACD524EEE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:42.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BAF7F906ED76245C873CA3F220E284,SHA256=714EC0D30761F203E0BA7849DA713067BC581567178060A2AFE604062E6A2F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:42.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E9D490378544D5A971C8F1C9308031,SHA256=8AB873BDFEAF1BA8614807477BFB4D4D88A40BFEC5530BADAE46CD35CEDA2912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:43.649{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BC8627A566748A6B8F38EFA12C9CBE,SHA256=CEC72E1D8DE721897527E8C7AC48F0D957917E1FBA78BBCE1CA2D3CEFB7E9D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:43.593{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACE1EEFE2AC2B01FACC9621550067F0,SHA256=663052F8640A3AA355171A5E253F61438E418C016AC96F08A32327E92733C125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:40.653{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56056-false10.0.1.12-8000- 23542300x8000000000000000103178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:44.665{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2D0CF5AC79DE97056D4375569E7F23,SHA256=2A21631C70E82EB6563D6F4E7F1EBA010F4CE282B7CB22A5CFCCD0167C990F6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:42.728{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50567-false10.0.1.12-8000- 23542300x800000000000000084440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:44.624{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFF1E61EA1C933AB08557B52B0C4346,SHA256=365E8714FC4D6CE92180CEF8FD3B36B3EF9EF4F9C0958213A103DD82E26DC145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:45.883{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAF01E0ABACF3E9632424286AF788F4,SHA256=000F2AC873D456C5EA4DFF6483103FB2F4B991950852D2369032C6BEAF4163C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:45.702{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801FBE9A8F96B5EE95CF789F31C377EE,SHA256=8A15BF4CA9320F67D5571791D84B3E9FE82F982141637F6DDC72A100B835183F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:46.946{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9CEDAF014512C2E76119A04650BD0F,SHA256=8CE0B4ED54A5ACB154BFB8853339487AA90CEA4A88AB3AC844F103F545B4AEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:46.718{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E53D09B8010E93E770A99C8DD9806A,SHA256=D39C7C60B8C5105C2B479F723702E2FC99B1A9020E53B3C3BFA83C9B8C864E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:47.946{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDECA63008826C7D5B80B8158B11954,SHA256=0B34201ED1FEAC79B246DD944E615DCBCE411339A216306C70D668C4A2EBA28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:47.734{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6853560EB76C7B08220188E3C8817FD,SHA256=19A6BFF35E6ADB1EFC1E47EF47FE53E893D269034A3CEF132428AF1B402F7FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:48.977{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCC4C4531F4BF7F01C413048DFDD969,SHA256=CE1DD7E9079343A25819C0D5E11306DA2A1D438EC1CCF70F3D1A75B0AD078DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:48.749{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66687CDE6518AB6E0A484BC4702EB27A,SHA256=29B1AF53311DC139B735DDB2EB2D946A35AD81F055D525181A5F1E9D2CE65F5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:46.653{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56057-false10.0.1.12-8000- 23542300x800000000000000084446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:49.765{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34C380122C4EE6D918DC64E75EB7201,SHA256=9968F6C656CD34FE0728CCDF5AA9A41EA46E9CFAF41BB80E6747DE926EDC3D05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.821{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.822{8D4DD44E-CF81-616F-AA02-000000000502}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:50.780{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB5967FDEFC6D482B43322D4C4C622A,SHA256=D3AA53F6C6222459429F18E0D3EB718549B171494040C7C1ECB669A45B138C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.852{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9BA60BAB78DD3AA042F7227C3B1D4D1,SHA256=608683348F1EB0F84E820DF060244E5D28A2375D60140A51CE9E3A8DE799AFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.852{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79DF2B1D7D5265BA0BA5C5C085EE24ED,SHA256=10492487A62947C7580256DFC74D4487BDA2BD23D50331747F2CDEBF678BDE53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.821{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.822{8D4DD44E-CF82-616F-AC02-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.321{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.322{8D4DD44E-CF82-616F-AB02-000000000502}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.055{8D4DD44E-CF81-616F-AA02-000000000502}13045076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:49.993{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107433F02BDA0417D202E763EB209847,SHA256=B66ACB1CE8385341E55EDBB0DC4D033CF2159F05D3DD7D1FB63E9A04DD2FBE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:51.921{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A22F8FCEBCCDF1AABE8A85CDA8E3920,SHA256=828444B3DCD6A93225E10C425B2EC7B46E85FFB8F81457992CBC5DE4293EC789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:51.321{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7083BFFC834C22033C75E4D397BF715,SHA256=B66B619B7F03FE81B089B78F2D86F3F42A27AAAC26DF4A2A2C716129387D8B58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:48.759{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50568-false10.0.1.12-8000- 23542300x800000000000000084450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:52.921{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C2C88099182A6E05591B3AB238C74B,SHA256=F9ECEB972FBF37B75016D22E2E99BC565CA8EE2A96B4452AFE135DB462721B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.977{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.978{8D4DD44E-CF84-616F-AD02-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.466{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56058-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000103230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:50.466{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56058-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000103229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.383{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3480EFD8979419B68FD163C7C0C0A7AA,SHA256=10A6462E0F68E9C3B97B0C30E69293124B1914406A6407F55673A6753666D2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.087{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9BA60BAB78DD3AA042F7227C3B1D4D1,SHA256=608683348F1EB0F84E820DF060244E5D28A2375D60140A51CE9E3A8DE799AFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:53.922{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FCCE0202A1F78CB3DD3A4CD1DCD40D,SHA256=FBECE7629D69042FA2BB688AE54E25BB9488899A6AA5BD8C34A54B5B8729E354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.665{8D4DD44E-CF85-616F-AE02-000000000502}27121896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.477{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.478{8D4DD44E-CF85-616F-AE02-000000000502}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.415{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A99F15DE4BF110037F343FFC9E72619,SHA256=440DC61C096160457D8DCC0E3A1B1C0B1C1F90DA925854B9EEF7F297A9C62D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:53.196{8D4DD44E-CF84-616F-AD02-000000000502}1516516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:54.922{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8327B48161C147904C8E01717765EAC2,SHA256=0B425F55C9ED1694BE305814A5966D6A0A44FF6E6DBDA8772236C35DAA68E688,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:52.576{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56059-false10.0.1.12-8000- 23542300x8000000000000000103276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46B780D2C108106F3712D02771ECE76,SHA256=FAF4D37FDD835FA4C79D97EDC4A011C03C8ADB5704DD32B7222512A700A119F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.399{8D4DD44E-CF86-616F-AF02-000000000502}44841344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.196{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9258F415679DD0C0805A7261C6E56F91,SHA256=0FB9F735E0F3EA0278ED21E9BC1453DA349AF5D8F46C9DA01247E31E2DE48DE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.149{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:54.150{8D4DD44E-CF86-616F-AF02-000000000502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:55.926{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03977F44983909A21B4AC0D05B286465,SHA256=844FE844A0FB3C1C4341F938C39C113FF9C641BD961E98D5CB1F3CE0D368AC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.446{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEB1C37D92FAAD9D08A933E1381C250,SHA256=777007F5C066C898A1DA4229E31124BC57852960177332ADE46553ADF09E07EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.399{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:55.400{8D4DD44E-CF87-616F-B002-000000000502}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:56.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AD645966ED31D8074F37979D79C65D,SHA256=086929848C204608E86CDEA6DB680839BA20C2658DD2AF2AB6BDF6EF73E9485B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:56.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFCF2A720BE20D5512201661AF2EDEDF,SHA256=8BAF1A5E117C17250358E2507DADC94DA02C61FDC55F58876449E96286A8AE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:56.451{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527B468DBCD6A619064FA810BA26A264,SHA256=39761573BFF9769EA72DA6E52731979C44DADB750675ABC1CD03A7357A90AD72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:54.666{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50569-false10.0.1.12-8000- 23542300x800000000000000084456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:57.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF45B1C3D5937168EC41F281B160A41,SHA256=4B820A91258E506A76376A02AFCA4843381E038FF1A9EA9A92B1680EAAE8C498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:57.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397563404E3C64D72E050C67078BED92,SHA256=A25CF8E4B26FCBE374AF9E94FE4EB87E1C3D626813EF5F84DAE77EC94E181725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:58.928{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA1C68D399093FB3504FB4D1E1582D0,SHA256=63A346BF1CF1714404E747F4609408E06E4B1F9ACFC2043778000036797821AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:58.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14121481C8969D8696AB611A2BA6C7EE,SHA256=BBBC95152B529089EA821A8BBB6513222EA4D39BCE4D63963BFE1EB5F1A364DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:59.928{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B720DA3CB1AEC9DADC8832EAEA26928,SHA256=CA38A79FE31DF5C48D2D3A8937A104F257088187E0200EBB38978DB84E7D022C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:57.705{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56060-false10.0.1.12-8000- 23542300x8000000000000000103296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:12:59.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F24A37F21A47BEF1E1FF8A6AA0DF13,SHA256=DBB6241E0AC72157B19088A6CBF7CFAE69F508536377D8C332DB5BCC48D6D32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:00.929{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A8865F10B52749C86CFB8D4EBD607A,SHA256=0C92F394598B9FF213395F8AE6133F916018E847F846F38BC71741AF6F440F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:00.498{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A493C8182CE778998DA52419E7AC45BD,SHA256=781313A4777F007DEEDFD5D53A5D48E9D071F5018EB3024BD8F4BF2B5E055833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:01.929{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953249D87D9CD001EA20A351B7A76054,SHA256=6B3E6E63AE1C3A6DD3E60AABC7DC3BB77D111823668D12DBA86C210AF1EB80BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:01.545{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A663898B47F7E6BBFE39042F4576D7CC,SHA256=C900830F42D87953038E9B288A9064CDEA9E6DDE7799D8806BDA7F2791838484,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:12:59.704{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50570-false10.0.1.12-8000- 23542300x800000000000000084462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:02.930{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309C7DAD69E6540351706625DA735966,SHA256=6EE3A81B2886884716CF5ED46354B42813DA193B6241748CBAB1BF220C2BA14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:02.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DDFBAEC3D50D8C00A888698F5AA0CD,SHA256=37F7D8C90632D5FFD2B7FF90955278C3FBF7BB1933B341F9A11CE4C0AD81B50A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:03.930{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BACE75B576BDEFE58FEFB0DE90B38E0,SHA256=2169775DCAE843E718A9922799DEDB2E5E22D81EDA746FD6F007F946889D74DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:03.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DFE3AA31D4F051DDF271228B3ECDA8,SHA256=FCDFC8E46649F4E0901752524B6491DF6B1E9E81C099F8F0537818CCFA3A6E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:04.931{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1C19DCFBCF7BE1CBEA45C749B87E25,SHA256=E5F2003F36EBA14303495174FB88906D4F0170377FF7833B2AE57CCDE29FB33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:04.560{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B06A2F9E0ECBD651E51C95B143F97FC,SHA256=36A1D177537BDCCA9F83C24066F74E90500B03F301D1C09C588641D2C1CE3715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:05.931{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A0B1CB7AD71C5A10DD31DEEB7CE2CE,SHA256=8BF75F6DBF1BA9221A74F8AC91B9D220DE8A1AD428400C10FAEA91D3781E3282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:05.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FE5181CA0362E5627DE0D1A9083647,SHA256=C188697E7CF6F0EE7F246300E423B6F81A89ECE4C8C2A3761CBFAFD367C4178C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:06.932{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918327BE8C803088EF01CCBEA78884A0,SHA256=A65F78D6E5486E81060E18F60DC7ACEA8E6FA968B651E73589FAD87A185ADF31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:06.591{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEBBD5C4C14DB9270F42948F5867BA2,SHA256=F5356CB315EE4C1B3C491E5413CB53CABBCEC1403CF8CE537F07016660D25B62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:03.549{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56061-false10.0.1.12-8000- 354300x800000000000000084469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:05.644{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50571-false10.0.1.12-8000- 23542300x800000000000000084468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:07.934{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19203E805C26BB4E881D1415642E6E89,SHA256=B0239838256C6C43EC1FC9B95AA6FF96EA326CAB6DBDAD31FBAFEFC77309F063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:07.607{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AC2983FA5868F0C3502C10E9145157,SHA256=78DE57FED4191CAD4DE676DB57EF2C4C3F566DBC2D667887D3A10139F8AA9BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:07.561{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-067MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:08.937{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41580FA94F506BD682589615D5CAB1C,SHA256=966ADADDF8E5400A8EF7FFF70F165FB9BED2F1CEC1D94537E88754D06463CEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:08.607{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6661ACB05E14A6E43EA77CD48037F6B8,SHA256=293F63A060A682D40E696E0B2F06AE65D5BC736377D11488A3C7C459AC1DBCF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:08.561{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:09.940{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A92A4FAFF0D54C8B0BD00D1FE52641,SHA256=6E28A957967F5B0C0842851E08D72E82CB8A75C1EF9E87C0E55AB9BEA8C631A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:09.623{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC0E80599228B4AF9D78BB7C58C703,SHA256=5EF00B0DAB72501848A16AE94B8567805E5232A9CC81420DE6D187FA5AE651CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:09.627{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:10.940{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63457CFD6624F0BE5B5C5522FE8FE20F,SHA256=81518E58C6357767C408062F4309E7EEE279A9B83DA24C2A59FDF36C93430FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:10.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EFB0DC8A3EC96A12BD0BF8B4A3B5E8,SHA256=396C526FA068F57D5489CAEA48031372E42C0E4F34EF3E42C77D34B8738361F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:11.941{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9918490138A0C251CD2C3138BB959722,SHA256=F801CF23AAB329AAA84FFF18D881C3B4AEA711137EB24E81901E666E041D8B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:11.670{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B569293EC3A452BB83DD570C6453AF13,SHA256=E668571DC87CE48FAEFB110EB21B9CD6EE479E0889B7E4820614F79E4BB082CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:09.168{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50572-false10.0.1.12-8089- 354300x8000000000000000103310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:08.659{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56062-false10.0.1.12-8000- 23542300x800000000000000084477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:12.941{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7588F4356259523E104E492EEDA26ABD,SHA256=6BE45413C55D8DFEB4A3EBE65DE081B89B1372B94A0B1F614F97B8E102D9DFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:12.748{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D47160D81B4EB8218CACA2D1E49632,SHA256=365CF7A8AF8069DAD9E61458B9FDCCD252548B429218CAA090E174E39749D469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:13.763{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A569DF6E1C85AE2376084C27AF26D676,SHA256=F546EC88BA17E0058423206EC56158A66482C362499AA5701F3C7815EF78DAA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:10.653{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50573-false10.0.1.12-8000- 23542300x8000000000000000103314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:14.826{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227D33EB8B48101EF45D23ED74B62806,SHA256=7BB8FB4AA97A06AF59029C1668C2FEFBED47C706F7BB0AF8AAF4B50076597EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:14.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F103B7B94024B11859D72AFA0B98A0EE,SHA256=50AFD0C0891650DB0C67345ACF597B7A897ECE57F7BE3101149E308B9E89DA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:15.842{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987D1B53658B1A6C44F20E7821C247A8,SHA256=15A55CC50500BE2BCC3F2AECDFF46FE7C0AAAA3D02A149960B1BBA1BA4636F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:15.098{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56914DA94A0B8C6E14A9755D0B92AD23,SHA256=B079C254515FD10825D8311457A464EF52CD9E4EA94FA76E9069BFD733BF7566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:16.866{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F138A5D25114F6DC79994767C2473A,SHA256=F2D9C7653E9386C2AEDE76F96F685825909BD720FCCF13C110458AFD9018C128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:16.139{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52DCA377D527B0D6F85A96ACDD82F9D,SHA256=A16645284184E24DFE2FAB0BAC11CC6F7B6CE4BAAA1FF79C458CF874A6541828,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:14.566{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56063-false10.0.1.12-8000- 23542300x8000000000000000103318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:17.866{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BB71A7EA6A431E5C4BF1A71B438211,SHA256=8BB69A4590CB8A5F87D6875F219DA4730747FF11E80372BA4A64AFD11CB83538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:17.357{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44D190B203C1683755E7641D9048C57,SHA256=345156C9AF097B4CB5BB8828DAA1007DCC20F1522EA24E9328E0B9ED74326F0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:15.773{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50574-false10.0.1.12-8000- 23542300x800000000000000084483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:18.357{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F538ED0CD0135C452D0A4B3B61A49F2F,SHA256=57DE03FEC893C686962A8B1BEDAD01CED9A03CD799A563A67A64C75075FE306C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:18.366{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:19.389{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30532232AE2ADA6C29212355029EB36C,SHA256=8046017B04934C7B601F943FE1FA179AFB1EBC87500187C491AD641E508DA03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:19.257{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359C4EE46D3BB9382DBA4C7051184348,SHA256=23D1AA70131753D357DA06C6B14F3A1A40EBE5A7EE56627D3C56328741A30291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:20.404{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879FAB65C82A0BCF03B49F7EE1E6647B,SHA256=3B70E269A28C7593B6AFC97223EB5F795376137C9438EFAE9BA3655F6716F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:20.257{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4089CF862E295C3D0BE3DB209FE142,SHA256=ED9DA7ED942786B185F4A27040C5D726E1160E47DB15E8719CDBD6C73FB823B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:21.420{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DA58C311E18CF66106C025BC7B1669,SHA256=B074AE991739AF4F36AEC463D85D8D8D16A1F2C33FE91BD2306ABE719373F500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:21.273{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC604C3A531A5D8C1CEDBCE75316029,SHA256=DD4C6B9B3C50A599F76175D447CA450EE9F537394F94309694E9942E458D7544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:22.435{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C98D6E722809FFB5D86816D622D1F7,SHA256=059E45E85421F248817EAF3C5C1E65E46B80E1021BD32F5830D14B7ADC436B19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:19.669{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56064-false10.0.1.12-8000- 10341000x8000000000000000103353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:22.442{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000103352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:22.332{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDC00E12C659D8BF28AA9756733A314,SHA256=62EA77D4A8A740A69C36ACF4FFAE63BA0E263BC7D0AC7AB624B88607C0B282D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:22.153{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-067MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:21.711{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50575-false10.0.1.12-8000- 23542300x800000000000000084490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:23.467{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678CDA5636850977DD6A5A685735214E,SHA256=46F1EDAA1455E928175B4843614AC768939BBFA7AA71E82E444CD387421E3EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1B0053410D56EB0F8CBE0559C249CB,SHA256=F755C8A897FD7ECE0A31C4267A09B220F599E800CAA642695E9F9E1A9AD9AB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.487{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7128F56D2044A9685D473BBB8E116C05,SHA256=6373653E2A775EC823B05776881F3EFEA02731B4FCCAA57C279007A6EC799BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.362{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92EE1DCFE0E51F8B08C12754031BCFA,SHA256=9206BE708EAF0621781090BCA4E78CC279422D24E88214DF8D687157DEDC74D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:23.107{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8FE8509AA4E90DA0A8FABA2776ACDC74,SHA256=7625C2594B23DAC2A187EF66ADC9356CDE041CEC84B72E2B4B213E8AF57C7512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:23.162{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:24.498{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7888E241B7B61114053DFB964D85B1,SHA256=63C4DD28B41EA2F3EA8192436B95056AEE9BC2C895239189FF17447E9355AAE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.709{8D4DD44E-BF3C-616F-1600-000000000502}12922976C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.709{8D4DD44E-BF3C-616F-1600-000000000502}12922976C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000103361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:21.932{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000103360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:21.932{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x8000000000000000103359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B89E01C74EB4EFF9D7AFA00817FE238,SHA256=22CE9B01954A3A24F514E1378671EB7D8630A493A76459ACA236E32C8C8B41B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:25.515{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99C5C061F58845A7577553C6B0C31A6,SHA256=11E4EC64FF50D6597B312C67D4BDC3E7531649C4911119CD23D86E86A8D69F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458DEB02C9063CD1E98174E1DE309F5F,SHA256=7254F08EEBEF26DEDFF33B390521558F7B0F9ADBD0B1E670AE493D220F9EC646,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000084502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000084501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040bf60) 13241300x800000000000000084500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf89ced17) 13241300x800000000000000084499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5a615517) 13241300x800000000000000084498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbc25bd17) 13241300x800000000000000084497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000084496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040bf60) 13241300x800000000000000084495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf89ced17) 13241300x800000000000000084494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5a615517) 13241300x800000000000000084493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-20 08:13:25.029{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbc25bd17) 23542300x8000000000000000103365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.225{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.131{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=787F223B8210F21DEDFBF88B345084DB,SHA256=424DD781ED54FD7FCA05F8CDC85182F8E38E75E314B10E652BA3E16EF9991309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:26.546{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8939EBE1BC2827053E7B4D664BEA6CE,SHA256=50DD255C816ACC005B3178D2667F0725D1562D9BE0A8E78050FD66B47D0EF7FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:24.699{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56066-false10.0.1.12-8089- 23542300x8000000000000000103377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:26.459{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4992A682319AC66939F48E7E5C354A2B,SHA256=91BE68CE401BCF5CCE8137B9A24ACE62C82E9BF2944B0E98B7DBEF67A4209EDF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040d78c) 13241300x8000000000000000103374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf9745453) 13241300x8000000000000000103373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5b38bc53) 13241300x8000000000000000103372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbcfd2453) 13241300x8000000000000000103371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0040d78c) 13241300x8000000000000000103369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c581-0xf9745453) 13241300x8000000000000000103368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c58a-0x5b38bc53) 13241300x8000000000000000103367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:26.287{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c592-0xbcfd2453) 23542300x800000000000000084505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:27.593{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008B292ECC1F72E05521DA4DD697B175,SHA256=FA6F4BB6E48516209B517F31BC7B74941469602B8948BBEC8DDA6EA7DF382ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:25.542{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56067-false10.0.1.12-8000- 23542300x8000000000000000103379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:27.475{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827BDDEEAA9FD004B194E5A53094CCE1,SHA256=F42CF49FB076D6BB248D8D914746EFA9F16C009EC986D75982915F162CF85BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:28.828{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5530DD05EF050BF906BAA04C0E634089,SHA256=8D1E5BF4CDA2CFAB958E82D6D13CAFAD3BAA0D9E29171113806801255628BFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:28.475{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D908C602313EB686DBF72D3B1B443ACB,SHA256=D1B204B8317192C2436A921F49351B716CF7B7D9694B30089136F795B147EC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:29.874{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8188E583C358F4E2B6B5B6C11439AA,SHA256=2E8345452DACF405AE87EB62EF446857492A1B9053BA2BB3EF43D6339E18DA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:29.522{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C296B03250FD98A9237F7A7E5B320F,SHA256=B4AF8466B162B7012A5CAD7200BE0B361AA81C0B1CBD1C39BFDB531E7E3DE562,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:26.744{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50576-false10.0.1.12-8000- 23542300x800000000000000084509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:30.937{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0BAFDBB20AE753B015855D501C2A51,SHA256=808B4103F59A49DE3079813C5854836BEDF81A6827306C10366955F8C32F20F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:30.553{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A267834B74349C4708A5672EF21053D,SHA256=30B351EB86A8F5F9CACF9FA48CC82F9ABDB324B45136B7A609E2F57F45017F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:31.569{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428EA82A767A4842F89A5992C2C57482,SHA256=ED6773D1815738C5234337D2B40A95B5AF823005E40C36352FA08CFC7705A763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:32.569{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4AA23A357875AE755E2FAB6DB6347F,SHA256=40167D1586050ADE5DD4048485954F17AC18203104C40937F212D2F14ED6F1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:31.999{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F36DD9E73F5E527E3652449E5D164C,SHA256=954EFC0491EC19F0CBDCB5935F5D34828B96EE3DA3257481DAEA810FDB552299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:33.569{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63940FF54A3057EFC091F81C59F80EC,SHA256=F79E1326B8C68ACC2A807A0F95F1F2441D8FD06E2E05D9ADCED21F3912F06950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.281{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.282{6F8252D3-CFAD-616F-8102-000000000602}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:33.046{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298EE073D399F747E56FC9A80B9E839C,SHA256=52508AF09F4239C107BE17B29DCCAB52DEFAC2184C487B28F72AC719DB7A95AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:30.589{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56068-false10.0.1.12-8000- 23542300x8000000000000000103390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:34.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0752FBF0A138BE507DB235D89657750,SHA256=639E432185AEC08D3244D86C95D610B4DF286B507643C502D443DF6D35680397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.765{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.770{6F8252D3-CFAE-616F-8202-000000000602}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A13FB968DB390AAA58E7F4E350038C25,SHA256=FB23FF833854B5E0FA6A3588D05DF3745B2C2B4B0CCE8FE5AB4CD6D2345A0DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.499{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DDE7B9A5CE281342BE3D57FA5A468A3,SHA256=EE21888B5A22C807777E276685017555EAC3D01B3E7F4879EA32A962F7AB0905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:34.109{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C091CE467393EF1FB8F9B9A4383DDADC,SHA256=D25832644CF56ACE2F45CD384D9C2711FC846EF56D8B469469A12AA954797689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:34.209{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=184AA9EF3A336910EC82F1D6E59299E2,SHA256=8566410BDB1B0EA978D32A6516B8664B0B4DBD6F4944153EE04F6F8723EDA12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:34.209{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1B0053410D56EB0F8CBE0559C249CB,SHA256=F755C8A897FD7ECE0A31C4267A09B220F599E800CAA642695E9F9E1A9AD9AB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:35.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ADFC9F56F6C5DD189BB512C72C6A3C,SHA256=FCF318726F480613F197660E77A532D0C6025D7742C6E1BF8D8BA0E24BF93DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.812{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A13FB968DB390AAA58E7F4E350038C25,SHA256=FB23FF833854B5E0FA6A3588D05DF3745B2C2B4B0CCE8FE5AB4CD6D2345A0DAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:32.665{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50577-false10.0.1.12-8000- 10341000x800000000000000084555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.265{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.266{6F8252D3-CFAF-616F-8302-000000000602}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.187{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9196CAD8359B7CB6403659D27BBB651,SHA256=934B8AC1307C944C6EE115ED3C7097CC91DF9D21E71248CFFE197161EA6DB4C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:35.062{6F8252D3-CFAE-616F-8202-000000000602}17004008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:36.605{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A908745D14B4932236110707665F1A,SHA256=D45E942E77E2028D0CC3B81C14AAACD88D6C2D4CCC870C47928DC36875C8606B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:36.190{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCBFC96F1BB2142D142EEDA5662DF7F,SHA256=05F46A977EFC4EE4DC2E0819013D801834E6C0F3993090C9C98FDE0016E396DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:37.605{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0A854970F8C2B6371912CF8FFEDEC2,SHA256=82B512189D8E6E70FFAA3C7737DB248B7E1BBB8512D1EB12DC5C743F87454685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.737{6F8252D3-CFB1-616F-8502-000000000602}3748296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.502{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.503{6F8252D3-CFB1-616F-8502-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.221{6F8252D3-CFB1-616F-8402-000000000602}35043184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.205{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C72F5C4D6FA60C42EE397849B7D3CF,SHA256=392C4553A7EFAD80B38B645EF8FFA38CCE6A14A85EEDEE4DBFA40EEA526ACABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.002{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.003{6F8252D3-CFB1-616F-8402-000000000602}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.643{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4723D3C61F70BBBEC04A2E640B9DA3BC,SHA256=62ED2207E52C543FD0877E022B719C31CA9F6361B79F52FE9F7B5D904DE98E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.221{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6225CD400D30735B5E2870D157E426E,SHA256=F99749EDDDDAC9F22D7E870D7C85882939E7400502C1ABEA5DB4478D85826981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:38.668{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E74D8DAE2CC5CB8FA353FA90F623FA,SHA256=F49742C88C2D0CEB33459BD6842A39D00A4D138038CE4A3093AB70E4392C3914,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:35.673{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56069-false10.0.1.12-8000- 10341000x800000000000000084601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.190{6F8252D3-CFB2-616F-8602-000000000602}24762552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.002{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:38.003{6F8252D3-CFB2-616F-8602-000000000602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:39.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C933286A3C1EA4EBFAB7A0EBEC9AACC,SHA256=11406443AE3193E2A95CD072CC00BA8FCF0B7488791E14B24D98915B50867952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:37.762{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50578-false10.0.1.12-8000- 10341000x800000000000000084617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF39-616F-0C00-000000000602}732844C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.612{6F8252D3-CFB3-616F-8702-000000000602}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:39.299{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE4FAE1C0B945898DB8E101E389D3E,SHA256=26A2EB4BE75479F746D852FE1625BBCC35B1D218508BD31639B802ACA6F46668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:40.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510A70AC6B027CB4449D1F4E7A3E923C,SHA256=466285D05E293E949642710928659E867C8B2BF5730AAFB63513C7D3DA6C527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:40.627{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=563D611E5570C27ABEFB3BCEECD9ED57,SHA256=5885207A9BA31D85341BC3603CF10E23132BF37A5A7EE0FC769E4BF8410EACCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:40.315{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513ABFE51717BC2B1E3EFF25BEF7E3BE,SHA256=7B7C82326C853C32F91072E980787BCBBF499829759D49D3F375D775FA8D5445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:41.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87389F3743BB21B36C46E1A72B0C4B1,SHA256=9600AD03C28F37F0BD8E7880C6264EF2CFAAFD3C0FB9E28C83647B818584FD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:41.424{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69122BC4B93CBC0107F827C8B0282AEB,SHA256=32C53B0CCAC9D5FA3FD355D854C20B8E481C329C63A12350C8E02732721A690A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:42.440{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01F34A52383C34AE715B6A4D560E001,SHA256=A5C11DB48196D0EBD03D5B3D938276072FEC8D1E37598E90ADA5C26EDD05DCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:42.731{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC2B98861859D350F463A376097BB1E,SHA256=D15ABB293EA3228D6B0B8C39E788B6B57346C3EB604B605A609C00EB5B85AFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:43.643{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBFC5D4BB47990201283297C9616C36,SHA256=C3788A3D5CD24029A043A9E233E671FFA75B26AD03AE76924CA37114028EE158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:43.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364252C24F8D9B4923259E120D21B4AE,SHA256=B5A0D934B430E04F64CBCAB594300A48DC3BFA6C880851A8A66904522DA828AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:41.565{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56070-false10.0.1.12-8000- 23542300x8000000000000000103402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:44.763{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F788821D00AE8A9D2DD3750CB44E5B3,SHA256=A60608CDA975191A851D2A7E1026E1D32F9F9A0FFE388248ABBBA69BF72C2A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:44.690{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015A035A23E975C8B2F0FD51F46699F3,SHA256=C18084DE2D21DA79D8404CC1DC8098D79ACA133F8F57DDEAE2797D2BB8646588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:45.752{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74928D6E860239B06F52C3123C419DC9,SHA256=A1C923FAF421F40D07A8344D0F91723BF0F990E82589D8B922066B9C273A5FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:46.971{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBB622C2C2F9D434BD1C1BE438D48E,SHA256=9C9630B90E40E7766D516CF77B103B44174A5E0A1CFF14FCEFFE68B957747BF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:43.777{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50579-false10.0.1.12-8000- 23542300x8000000000000000103403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:45.997{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3026F012D2DB3BB493C219550ACA4B6,SHA256=FE8BEB63A795A1C2D17BF3771B3BD63829BD86AA8F88772B5672AEC008CD86A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:47.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1614C85D1FA906BAEB56F7402355FB74,SHA256=8984BEE380E119FDE5FF2114D518FFA0C9683E38E499D1E7C972E6132C42A07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:48.018{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4288DBC6963D9F1C5FD55AD5BB4B5317,SHA256=4DEBB8ED178919E43B8D190F23FD91FE12DD95F85A5AE2F8260503AF67836D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:48.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C63DBD33271130B54E18962B36732E,SHA256=F6639877A1EAC75E7BEA83BCFB1403E2A641939ADC4D05D382876D9705DDF0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:49.033{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB6BB045DEAC79631F5A68A88B62931,SHA256=5A0BB3059210429CF640EA0B88FD3D99BE2678ADA32B41ED1849DE751928DF72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.825{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.826{8D4DD44E-CFBD-616F-B102-000000000502}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:46.706{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56071-false10.0.1.12-8000- 23542300x8000000000000000103406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:49.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56086A6535B296311DADAAC20FE0C4D,SHA256=C2D7B02D9EBFBE3493B4A64408DB3188E5DD79B7B2AD1C34866DD5EF1EF3416E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:50.065{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CA74F195F028BF5F84F9CEB0F40F1B,SHA256=F08532288D719DDE5ED2F09651C099075ED0217174695DBF69D987AF7CD127DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.888{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FC9C1E673FD6799A91D9D228EC9084D,SHA256=5A1C84677A2B3F7251FA20DC25FA3204B2532FDD9471B36086EEB41055AF4430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.888{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=184AA9EF3A336910EC82F1D6E59299E2,SHA256=8566410BDB1B0EA978D32A6516B8664B0B4DBD6F4944153EE04F6F8723EDA12E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.325{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.326{8D4DD44E-CFBE-616F-B202-000000000502}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.077{8D4DD44E-CFBD-616F-B102-000000000502}24443280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.028{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC8F5352560C8F733D6F1013E8A4115,SHA256=F8F8A04C21ACD7E207A6E363B136FFBCA9288368C50984B70BADF093A7DE4635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.325{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A9B0FF7D0E1A4E2B825C763304F40,SHA256=AEF2F899B55BD2556B1C19A656E2CB3C348686DCE7DC5B6BC4CEA611DC41B034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:49.715{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50580-false10.0.1.12-8000- 23542300x800000000000000084631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:51.096{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2410EF930F5F6EB70BED31723F42AE0F,SHA256=200C5D2D67307EC4AE414F0E6B72B8F224B5F6776830328A933C6ED4016AB536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.231{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:51.232{8D4DD44E-CFBF-616F-B302-000000000502}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.966{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.967{8D4DD44E-CFC0-616F-B402-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.481{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD11C66A81CED917523E116C02EABDC,SHA256=0220E99115F1EA7BDC9F1B8DB65C4603B38494150BE29E4DB6A9B77B949F410D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:52.127{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B3EA975F9B0964809C4D0E542998E8,SHA256=855B2F69A6D9B337879D07315C3B6FDFC8E4F09E2D8BFB355DCD42EC0031FB37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.471{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56072-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000103453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:50.471{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56072-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000103452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.216{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FC9C1E673FD6799A91D9D228EC9084D,SHA256=5A1C84677A2B3F7251FA20DC25FA3204B2532FDD9471B36086EEB41055AF4430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.981{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA23A507A8FAC3E97372E70A80295407,SHA256=C11BB0BC4D52CCBB1330D5467B8EBF88A7A54B14A55726F9DFDD9A4219A3C950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.638{8D4DD44E-CFC1-616F-B502-000000000502}13083888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.638{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4908799220D72D9F4397E7F2233F7C,SHA256=C5582EC0CF0ED99BEA491AC9E305DC3133AF2B797D07610DD8BEC6AE4213C0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:53.252{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C54F0B55716B21BC2799B290556341,SHA256=1A95209E91A6E5AB07B04DAFE8D578AEE754FC4A334615A9FE51EF209E82DDDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.466{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.467{8D4DD44E-CFC1-616F-B502-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:53.231{8D4DD44E-CFC0-616F-B402-000000000502}4944520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.856{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F7FF20FEE5E7C6B291A352569D4FA,SHA256=573C5EDC1030645A80DC0B76B56F22AAF9EB7940BBEC8F05F3304FDFB36FBC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:54.283{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5162EB4301D2850DC4C291DD86D2FEB,SHA256=273504634ABE8BCDD3E28C891231E650CA910302FAB69607C3A541EA6FBEC4A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:52.628{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56073-false10.0.1.12-8000- 10341000x8000000000000000103499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.184{8D4DD44E-CFC2-616F-B602-000000000502}38282724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:54.013{8D4DD44E-CFC2-616F-B602-000000000502}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.872{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39B074982759ED680B4870064CE7840,SHA256=142B8531294802F0B20C28A914F7B15495892A86790C053AEE0910A01B45B7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:55.330{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFB479DC6C8318D2A6B01E4DF72D561,SHA256=17EDDB027E412B9FBA06713D9D767A13213F70B6A98F5CC9E42FC87206476429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.388{8D4DD44E-CFC3-616F-B702-000000000502}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:55.153{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED68200DC82B64F5785BE7938D31D683,SHA256=9CD5E28CE9989037DE05C00C69BCB87F4FFD52FC5CD5C205E851A65A580D165F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:56.938{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811DD926CBB87944630E112AF771DC5,SHA256=ABDFD34EE1AAEB31712D78D0313AC41C68D589B1EEDF250EF0CE462CB1E1225A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:56.351{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1AE8D3F4286A0F1685D7B8BFBB5ACD,SHA256=AB25BAD296E127D383DCA3B9592098DBC043AA00EF026911A610EAA68B74400E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:56.391{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AF330E4826E6DF669B14A59508F980,SHA256=6C21D34D3CA6DE2B0A4B262968E993CA9D0E132BF5A0B10110F03FFDCFD7B306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:57.382{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBE68D3D37DCABCBC6C54E132CD5788,SHA256=1E7CF39BA8B41DA3F30BF9EA0CE3CC1B7950D352E7D43B19AC117AEEEFDC549A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:58.398{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3593605FB314A03B5430DBE0BDBFD4A9,SHA256=F7AB3C7876D9901DF8CF3D96E3B7C2A5BDA994B271F7D1CFCE4D1E104E0EF5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:58.157{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163E9974918192B032E9DA3029503DD9,SHA256=023173DD6A4B7F37A360B0B856110DF5886C2EE255C94622C6E98108F70B5DCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:55.689{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50581-false10.0.1.12-8000- 23542300x800000000000000084641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:13:59.460{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91248262EE95E6DEC397B25F3BEFE5BF,SHA256=4E2BF040211A1023767BCF6BCC2C049D090783E35BB2A7E7554869CB0E899D76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.969{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1E158C0B7666BDE2B89A5E7F90D8A4,SHA256=EA040102FA05EB396AA4B45C20BD373BE4B81E14897F50D360BCD2A1F8DE6DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D38AEF46C41642D0D2D651B5D9F8122,SHA256=25F892D0C66597CDE2EBE56E061CA38BA49087F2D0ECEECDECA3E41D9C3D27BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D4B537995C0E78C6DF48E0968647F79,SHA256=4CE49F8D1485A229345D38E60F649A796EF88BD504E3B1C94009F868E45867EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.891{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.860{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.844{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.844{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.844{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.829{8D4DD44E-CFC7-616F-BC02-000000000502}14044136C:\Windows\system32\LogonUI.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.798{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.798{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.782{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.782{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-CFC7-616F-B902-000000000502}19244128C:\Windows\system32\csrss.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-CFC7-616F-BA02-000000000502}43322148C:\Windows\system32\winlogon.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.771{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{8D4DD44E-CFC7-616F-3203-200000000000}0x2003323SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000103617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1c000|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.766{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1a4b6|C:\Windows\system32\lsasrv.dll+1ba5f|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.751{8D4DD44E-BF3C-616F-1600-000000000502}12925060C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.735{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-CFC7-616F-B902-000000000502}19242612C:\Windows\system32\csrss.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-CFC7-616F-BA02-000000000502}43324000C:\Windows\system32\winlogon.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.691{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a17855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000103597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.688{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.672{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.657{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000103582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.641{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000103581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.641{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x8000000000000000103580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.641{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 23542300x8000000000000000103579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.579{8D4DD44E-BF3C-616F-1600-000000000502}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.501{8D4DD44E-CFC7-616F-B902-000000000502}19244636C:\Windows\system32\csrss.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000103577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000103574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000103571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-20 08:13:59.454{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.0 13241300x8000000000000000103570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000103567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000103565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000103564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localInvDB-DriverVerSetValue2021-10-20 08:13:59.438{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0003\DriverVersion10.0.14393.0 23542300x8000000000000000103563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB797BB352CB301B37E1A92C90E2ECF,SHA256=5F6F9145F4118BC6517328AC907F7E23E11CA44633E69599EDB5C7C5F70A0013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.266{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000103548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000103547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000103546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-CFC7-616F-B802-000000000502}41685036C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000103545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.256{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000013c 0000007c 10341000x8000000000000000103544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF1C-616F-0200-000000000502}3082860C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.251{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-CFC7-616F-B802-000000000502}41685036C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000103532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.234{8D4DD44E-CFC7-616F-B902-000000000502}1924C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000013c 0000007c 10341000x8000000000000000103531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF1C-616F-0200-000000000502}3082860C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.219{8D4DD44E-BF1C-616F-0200-000000000502}3081664C:\Windows\System32\smss.exe{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000103520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.223{8D4DD44E-CFC7-616F-B802-000000000502}4168C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 0000013c 0000007c C:\Windows\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e73SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{8D4DD44E-BF1C-616F-0200-000000000502}308C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x800000000000000084642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:00.492{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7862108C8576A0114FEB78B841FAE8,SHA256=85B214EA27A746F7B494034CA304B48815515E9C2E2C4DA86746DBB880DA2AFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.969{8D4DD44E-BF39-616F-0A00-000000000502}6243356C:\Windows\system32\services.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.969{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8981EEC3B8E3E7A6CD1FDE020DE0D69,SHA256=C688E809C1288240A9FE4072F0277DE6FD9F78B19251098DD1ED0E189E4B0411,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF39-616F-0A00-000000000502}624600C:\Windows\system32\services.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.963{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000103906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.954{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF39-616F-0A00-000000000502}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.938{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.922{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.922{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.922{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.876{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.860{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.844{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 17141700x8000000000000000103883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:00.844{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.844{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000103881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.829{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73CEBCA7B9A0EF22D854E156D21B562,SHA256=0462E7D94135539C30AD3D39AC4D0C5F0714435D4899D8F95DDF15515744B745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.797{8D4DD44E-C6A0-616F-7F01-000000000502}21603208C:\Windows\system32\csrss.exe{8D4DD44E-BF3B-616F-0C00-000000000502}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.797{8D4DD44E-C6A0-616F-7F01-000000000502}21603208C:\Windows\system32\csrss.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000103878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000103875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 354300x8000000000000000103872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.146{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56076-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000103871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.145{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56076-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000103870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.105{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56075-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x8000000000000000103869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.105{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56075-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 13241300x8000000000000000103868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000103867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000103866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000103865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000103863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.797{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 23542300x8000000000000000103862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D45A4523BFA0F90652CF53497CCE71,SHA256=9E98AF3397318C3C88731B5538157C6D14D1F098D3668077C87E321F276E205A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-C6A3-616F-9001-000000000502}4532ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=9B6F0B9293D2CDAB379606826F1FF36F,SHA256=16160A5E4CABC18988628075B2739FEDD97DDC879DDC9A7B1649E0EFFC0AC088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.782{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.766{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.751{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.735{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.735{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.735{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.722{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{8D4DD44E-BF3B-616F-0C00-000000000502}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000103804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.719{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000103791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000103789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000103788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000103787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000103786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.657{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 10341000x8000000000000000103785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.610{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.610{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000103783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000103781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000103780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000103779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000103778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-20 08:14:00.594{8D4DD44E-BF1C-616F-0100-000000000502}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 23542300x8000000000000000103777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.579{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F8B3D09DCBFEB574484F18BB706B6A,SHA256=260B8D215B1EDF65630197B0BDA29ABADF2AB1ABEC4BC63426137A9E6AD1F8AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:58.553{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56074-false10.0.1.12-8000- 354300x8000000000000000103775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:58.512{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.104.66.206ppp-93-104-66-206.dynamic.mnet-online.de62146-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 10341000x8000000000000000103774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.516{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.516{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.501{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.485{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1a4b6|C:\Windows\system32\lsasrv.dll+1ba5f|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.469{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.454{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.454{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.454{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.422{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91622E5DD62BC5798BD3978D99A053A2,SHA256=8637502A6C1FCEA372E65D856AAE1D94F87DBE9BD8248EDBBDA91AD9387138C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF3B-616F-1000-000000000502}1082328C:\Windows\System32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6aab8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.344{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91622E5DD62BC5798BD3978D99A053A2,SHA256=8637502A6C1FCEA372E65D856AAE1D94F87DBE9BD8248EDBBDA91AD9387138C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A895116CA8F2E3C47589E3F3EDDFA78A,SHA256=B2BA34F51134E32C886B16861A3C886C523BADBE79B5138F7A9DCCB453E1DC83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-1000-000000000502}1082328C:\Windows\System32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6aab8|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.329{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF3B-616F-1200-000000000502}6881532C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.313{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824FC19195CB782B035A91817D50F907,SHA256=D2522068F6147CAE9A94B2F2C4D9DF35D74BD702CB4EA6392D18758087F1C0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.297{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672D71BB54250BC448D9B0C28C528F17,SHA256=7892BB499A417036E567E33533C2EF8D9118F5A72B4C9C08D99C13E8946B1F2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000103707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.282{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.266{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 18141800x8000000000000000103702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000103699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 17141700x8000000000000000103698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-1000-000000000502}1082348C:\Windows\System32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1297|c:\windows\system32\termsrv.dll+6a79d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3C-616F-1600-000000000502}12921336C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BD02-000000000502}172C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BC02-000000000502}1404C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF39-616F-0B00-000000000502}632672C:\Windows\system32\lsass.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.235{8D4DD44E-BF3C-616F-1600-000000000502}12921940C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000103673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.126{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8FD2EA5840942B1F30C009C2BE39B57,SHA256=5AA90ACD95EF7E91AACF949A827BC0471D5B1E84FE50DBAB34EF417EC4230834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.048{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DF8DD8B9CAC10A50501E1061A97861,SHA256=03E3BD158E537D6F619B00F176525D62CFCA8BC5D4A0F24B354B3F66CE3FE075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:01.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC62187F1C0E697061136578BD020E63,SHA256=4CDEFBD4B71F0593DC67B8D0DEE7982540F043C9E66CF412E222E8D0DF66E13F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.641{8D4DD44E-BF3B-616F-1400-000000000502}11041396C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000104212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.154{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000104211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:13:59.154{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local56077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x8000000000000000104210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.563{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20C1AE9781B2681BF33B35C0A441CC96,SHA256=C9D8E7A2B5CC53DD5082D1583E16C553177D6751B55BAF9029739731503277D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.516{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=425F87FC1DD54F2204986D0B299B59D5,SHA256=970ECDBE9A60A3FB0941B840C2D2B17FFF0CB91A076AA00D05F59459AB1380FD,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000104208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:01.469{8D4DD44E-C6A3-616F-9001-000000000502}4532\UIA_PIPE_4532_00000023C:\Windows\Explorer.EXE 10341000x8000000000000000104207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.344{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.344{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.344{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.313{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D725F03C5D30A0A4481A6BB71518DBA5,SHA256=8BC07E322297EF65D19B2E89AE83569D0F55ED1A62DC129D436C0929DB143310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.251{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77852F77DCE0AC06EDA50E8E78011CA,SHA256=83B59639C66C48694DE56701BBA690531D2186CB40D8E4D77F6A69292C133F9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C402-000000000502}1552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.235{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-CFC9-616F-C402-000000000502}1552C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C402-000000000502}1552C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.219{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE93A9B7AE1E6D7A009CFB2788481FA,SHA256=935753D4184F9C552547E6DCAB23675241E377DE868C3E6520DD1CD083046EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.204{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-CFC9-616F-C102-000000000502}48604892C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000104151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.188{8D4DD44E-CFC9-616F-C102-000000000502}48604892C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000104150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.157{8D4DD44E-C6A3-616F-9001-000000000502}45324708C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.157{8D4DD44E-C6A3-616F-9001-000000000502}45324708C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.157{8D4DD44E-C6A3-616F-9001-000000000502}45324708C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8801-000000000502}220C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BFC2-616F-8600-000000000502}3124C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF5B-616F-7700-000000000502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4600-000000000502}3668C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4300-000000000502}3636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-3C00-000000000502}3452C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF49-616F-3500-000000000502}3288C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3100-000000000502}2484C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3000-000000000502}2372C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2E00-000000000502}2236C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2C00-000000000502}1188C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF45-616F-2300-000000000502}2624C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2100-000000000502}2512C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2000-000000000502}2504C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1D00-000000000502}2060C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1300-000000000502}396C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0F00-000000000502}1016C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0E00-000000000502}992C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0900-000000000502}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BE02-000000000502}3732C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BB02-000000000502}2764C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.141{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8801-000000000502}220C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A1-616F-8201-000000000502}2052C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BFC2-616F-8600-000000000502}3124C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF5B-616F-7700-000000000502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4600-000000000502}3668C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-4300-000000000502}3636C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF4A-616F-3C00-000000000502}3452C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF49-616F-3500-000000000502}3288C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3100-000000000502}2484C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-3000-000000000502}2372C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2E00-000000000502}2236C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2C00-000000000502}1188C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2500-000000000502}2784C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF45-616F-2300-000000000502}2624C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2100-000000000502}2512C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF40-616F-2000-000000000502}2504C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1D00-000000000502}2060C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1400-000000000502}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1300-000000000502}396C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1200-000000000502}688C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0F00-000000000502}1016C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0E00-000000000502}992C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF39-616F-0900-000000000502}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.126{8D4DD44E-BF3C-616F-1600-000000000502}1292644C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.110{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-CFC9-616F-C202-000000000502}4664C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.094{8D4DD44E-C6A0-616F-8001-000000000502}29281964C:\Windows\system32\winlogon.exe{8D4DD44E-CFC9-616F-C202-000000000502}4664C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.092{8D4DD44E-CFC9-616F-C202-000000000502}4664C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{8D4DD44E-C6A0-616F-8001-000000000502}2928C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000104042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.079{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000104041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.079{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2DF7EC949D99626A60C2CA1199CDCE,SHA256=4E1810418A29855F8DE08A1A2259803EBA622B2143D86343D16C1952BF3348E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000104038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000104037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.047{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 23542300x8000000000000000104036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.047{8D4DD44E-C6A3-616F-9001-000000000502}4532ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=9B6F0B9293D2CDAB379606826F1FF36F,SHA256=16160A5E4CABC18988628075B2739FEDD97DDC879DDC9A7B1649E0EFFC0AC088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-C6A3-616F-9001-000000000502}45324652C:\Windows\Explorer.EXE{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000104032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-C6A3-616F-9001-000000000502}45324652C:\Windows\Explorer.EXE{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000104029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.035{8D4DD44E-CFC9-616F-C102-000000000502}4860C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{8D4DD44E-BF3B-616F-0C00-000000000502}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 18141800x8000000000000000104026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.032{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49e88|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8363980C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48684|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1700-000000000502}1416C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000104018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000104017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000104013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.016{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 18141800x8000000000000000104012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-CFC8-616F-BF02-000000000502}2444C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000104009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000104008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000104000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A2-616F-8501-000000000502}912C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364784C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8364884C:\Windows\system32\svchost.exe{8D4DD44E-CFC7-616F-BA02-000000000502}4332C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:01.001{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000103980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000103974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-ConnectPipe2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 17141700x8000000000000000103973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-CreatePipe2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-1000-000000000502}108\TSVCPIPE-7c7cb7c3-156a-4b65-bddd-2ecf4819e2d7C:\Windows\System32\svchost.exe 10341000x8000000000000000103972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361592C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-1000-000000000502}1082348C:\Windows\System32\svchost.exe{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000103963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8361932C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.985{8D4DD44E-BF3B-616F-0C00-000000000502}8364376C:\Windows\system32\svchost.exe{8D4DD44E-BF3B-616F-1100-000000000502}420C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.992{8D4DD44E-CFC8-616F-C002-000000000502}1092C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 354300x8000000000000000104216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.808{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local60057- 23542300x8000000000000000104215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:02.344{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF7FAB87F8BE59103ECBF9A19C1E514,SHA256=E74E9E545F65F68324633B32015BA59D06EE24267A15BCA9E6A45DBAD8CF0E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:02.538{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6045CD3F1C28CB01E2A006A65FDD3451,SHA256=C42763F1E8969BAC526DAF42EF81A55CD45C78C3A6E557FC226BDE32FBDA388D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:02.141{8D4DD44E-BF3B-616F-1400-000000000502}11041400C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000084646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:01.657{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local50582-false10.0.1.12-8000- 23542300x800000000000000084645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:03.554{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CB6C6AE58300C2639FEC8A1C48E0BF,SHA256=8BFA0F64DE1B86F972E7B0F6DE36486F5329D52EF7A556F1D562FC176341DF91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:00.968{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local56078-false13.91.16.66-443https 23542300x8000000000000000104217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:03.344{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E109C3CD84732FF4FAC2A59531F2307,SHA256=0AE50B50299FA6B778A25C8CA0EEAF1FD2BCA7B92B8A02E4AF238838AE3DC4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-20 08:14:04.554{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074D83F42053E83A49A8BA70D5C8AE4B,SHA256=D1630A44E9AD8C7E95859D25CCC6D0894972360991C6EEAC5F0A669373F97C5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-20 08:14:04.938{8D4DD44E-BF3B-616F-0C00-000000000502}836844C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23