23542300x800000000000000040449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:22.020{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CFD8C62008F42035B3D1BB86229CB,SHA256=B24AF0747285F1763609201DE3BABE019897060A5EE5F35A4F542CBAA9FDFB49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:22.209{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168B6AC749E6CB1514B5EBC6B65573D6,SHA256=04875C2B4B678468A347469EFE06A850E6F6F7D940722017E1AB8CD0DD92D315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:23.240{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0906FCA274EDDB222C9F8289661A9824,SHA256=43134C594BC5188E9FCE192C3BDF5DFDF4C321564A8F2ABB26B02A7C33E1CDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:23.051{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE10B960ABF568FE37B47CCC7E48894,SHA256=4E5C2B364992848E33603833ABD32A2675DDA4F3F901E5FE8D3E3E18CF24C1E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:21.691{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:24.255{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD64FEE06B73BA42B83597D4446E65E,SHA256=6D604179B05DB757339A61198B843F0E798F340F3ACADCF58915F5D5F2B73C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:24.082{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8BB5867148DE3C0573DFE2053BCE89,SHA256=726EB69BCC423E5C5AE1EE37CA3EE081D92D088447E86236A5EF367493F29766,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:23.021{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58928-false10.0.1.12-8000- 23542300x800000000000000040452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:25.098{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250DAB43C74820A8FBEFFCF7C88ACD5C,SHA256=344146D546EEB3E3B2E36B7055E518F3A2783CFB86208649B5305D291337774C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:25.256{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBFA1F0984B58428E5AE9ADDEB425B1,SHA256=316A8F6E66655B13A3B972C6A3BC252038C4BFFA8EBBA87C0B69CF4112F8398B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:26.114{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCBCFE3A8A7196A9738932E1913C950,SHA256=EB499B48C8E9DF0EE4C377742518B07C1980B63C095662005807B0653BACC180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:26.271{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE27D6E85B33C4529FE2A010FE26E90,SHA256=2F02B07DAC33A743AEAD0DE8F9905BEDA5B2A90418897809A8A7261E68948084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:27.299{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB708C9AB1C3AB6C299FF699ECF0382,SHA256=C17C61850E826932F4E85B4FFBB32674C81707F20CD101DF53C66BDBA491DC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:27.140{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E186328C2B17AEB12FA1117019045F,SHA256=69421D72DB752EEB13CFF9FC7BCCA366E9542EE6F567C9C0DE98A6BB22AD08B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:28.330{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E72EB1D8C5FEF7A084D31D346F044E,SHA256=244C194A961C0123154ECDC70FBA48F020A0AF8811C5F5138B9E048966CC0FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:28.171{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480A95DC97C8B7EC9E796DA19B6477C8,SHA256=59EC4E85FB7B314BC1B734C1AF99C4B354F3C28CF37AA48511C3960115D123F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:29.361{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC842E7C089F81B29759421E7530F0B,SHA256=24431FBBFFF065DFD04B24899388DFA550ED80C0C8343EAAF494E4645610299B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:29.187{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB626D74C4B517FFB836B9EC6F1D78D2,SHA256=BB484A8E6BBEE6063BE90342839052DA43FC640CED2764E7A53C853AC2C32DA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:27.688{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000040459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:29.045{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58929-false10.0.1.12-8000- 23542300x800000000000000040458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:30.202{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524C57B296DAB221D40BA70FFFE3FA0B,SHA256=414B39BA6CCCCD35963227D28E6C6939DF5041C80DC95BE308085CB400D6E56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:30.377{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A460B853CB0D68CB061C726923A83C6,SHA256=6D4E68CCC490CD2675283013CAFD6CEE1880FC130BD4CE384E2324C21B525759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.892{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.893{6F8252D3-77E7-616D-B106-000000000502}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.658{6F8252D3-77E7-616D-B006-000000000502}31883344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.424{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B1D59DB4F2E90287703A60AD4D43EA,SHA256=6CB29FDF529A022BECFEE86C7A0C058BB9CFDD0240A61ABE7963E613CD6D12F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:31.234{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7161C4CBC439D9DCBEFDDF6B8D504139,SHA256=151DB3D0810A242692044A0973F7818F881F26176CECE7153FCDDAE14B8BAC26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.392{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:31.393{6F8252D3-77E7-616D-B006-000000000502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.564{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.565{6F8252D3-77E8-616D-B206-000000000502}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.486{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49FD0EA9A4F219966BB6D58F18C5F2A1,SHA256=39251D312418A453F6CBD93BC5229A4BF9431E9E65A799E1DC03195AED1A3A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.486{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F709EC8364906A732B02887B02A0CE,SHA256=D5E4D03A85B1D1419E81B38CAC8DBD15598F4F26BD3F280D027AEEA9CC2E0DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.455{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CF90B3325F8460541ABCDD5CEE55E7,SHA256=E5B5523CDFC3B7713C7D863C38C6E753D655F3DA68C2390AE67DA3210C23CC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:32.234{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBAE878639163918BAA5D74FB22AA04,SHA256=00FEDD6C2A638A46140A15EF9E13A8572DEEB8713D9A59A60E7956AF14F24F87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.830{6F8252D3-77E9-616D-B306-000000000502}26523952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49FD0EA9A4F219966BB6D58F18C5F2A1,SHA256=39251D312418A453F6CBD93BC5229A4BF9431E9E65A799E1DC03195AED1A3A54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.643{6F8252D3-77E9-616D-B306-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:33.455{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557C9EA0179154DB2CD69CA6BD874397,SHA256=AD1EAD135D9EFC3A0656AAB312053C566B35FFF42963F9B2EF18D60F5476A8F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:31.904{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58930-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000040468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:31.904{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58930-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000040467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.265{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A604225B1A6D9D8A563962F677567BA5,SHA256=CE772D4B00FEDC42A6C9CFD1EBE9A20806D6423EF2065F59D2936ABA342C120D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.093{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.093{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.093{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.046{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C65DF0ED8F379AC949AD6160CEC9F4,SHA256=6D6E786532B6ACD5C0CB3D10FBB901F3A8A932A1C91173E41492DB1E199E7248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:33.046{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95125152DF68130E04D405AA82B57B35,SHA256=1EFA9DFDAEE2BEE74E039E9FB8251F25E2D6FA78D8FA82238F775BA4C3F9CCAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.937{8D4DD44E-5BA6-616D-0B00-000000000402}628840C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000040485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.827{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.280{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD85EEAC63021DF70197B83A9C29FC53,SHA256=5581DA520BFB58CFCD5AE264041FE1E87D8E7EEECBBE32C0C02473D6D46BE878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.955{6F8252D3-77EA-616D-B406-000000000502}38323628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.767{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.768{6F8252D3-77EA-616D-B406-000000000502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.658{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E209B434B2134D1DD11789E3B8BE7CF,SHA256=30A07C23572EFCA6488EBD5B22BDEAB2E9460EDB0D3BD0EB22FDF1C51619796F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:32.750{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:34.486{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2BA28B0FE6579835C65B84063F014B,SHA256=723C33B3AC4DB54E3890F11147EFDF0FEC235AC0F6D9CA2BB1451943762752B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.814{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63AFCFC4AB92612A5E02D9855EA67573,SHA256=AF6D36E48B1D861ED4489CA8B7A6A8E62E3AF6C8DF5E6B887960EB5443608831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.642{6F8252D3-77EB-616D-B506-000000000502}30123724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.533{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F161A78748F4CBFEAFE1E2B7430991D9,SHA256=008BA1EB3BF74208FC8BFCF2A3A5551BED15FFC6920BA61B4FD8239A92CAB0A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.076{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58931-false10.0.1.12-8000- 23542300x800000000000000040490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:35.312{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E09DAF62EE4BFA618DFDDE963D9EFB,SHA256=9C66F561EB311DDCD63EB5DD5D8A49D776085AFE58642D5F09943E9B8001F335,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.439{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:35.440{6F8252D3-77EB-616D-B506-000000000502}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.549{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9776250728F98B2EC9DCFDE7DC0712A5,SHA256=7E00F0F85965CC0BB3DB761C00033D064E276D0B5C3F1A1ACEC4A36434A39519,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.814{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58934-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000040498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.814{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58934-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000040497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.721{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local58933-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000040496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.721{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58933-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000040495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.707{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58932-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:34.707{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58932-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000040493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:36.343{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F404499A48D7C3EF1580EB94564E07,SHA256=6F38061B1E0B2F58CAAEC4E0ECF40587C29622690136511090B87121B56E17A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.111{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:36.112{6F8252D3-77EC-616D-B606-000000000502}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:36.062{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C65DF0ED8F379AC949AD6160CEC9F4,SHA256=6D6E786532B6ACD5C0CB3D10FBB901F3A8A932A1C91173E41492DB1E199E7248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:37.564{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB5DBB94E2F8D823B67B75A6C565107,SHA256=93331CC095A189697037B83D1FBC08F3B3CFC8744D57DD7B297F07C7041900E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:37.374{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B438C8946BF684B14B1625DD70DCA05D,SHA256=60875742F25087803DF2E7568422E1C2E4E61173FD9760673161021D25C35F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:37.158{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A663CCA4146CA479E49EF9607D5E3AA8,SHA256=39E8B85034263663FB52D56247FEEF91C15EAD56A9FBEA6780318988CDA0ECFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:38.580{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5612BB2089BBFA88B9D333830BA513AB,SHA256=6B6B6C18C1E1386A6A42C94AEA99F95DCC278BD38E988000AC9EE4F9958F4FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:38.468{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C1997850CBFA0E91CFBA037A0EFE05,SHA256=1E43414B4714BADD3511D6F4D9C7F7C3DBB61DC2A45F2506B9538F216C92CA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:39.702{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF51DB0B929282A1ABD7F6D45A5EDC5,SHA256=B08CCECE05052E76B1C71BAAFBF3CBC2DF4B7C0757FEA65E36EAEE17A277A301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:39.586{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5D6D5FA67D3B8370E7DADC0B908E58,SHA256=3A0A270DFBD4F6669C472B50078477B29669CC0900AD2AD83A71597B281702C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:39.427{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-108MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:40.734{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125CA498DA2A93D54FC99FDD87660B11,SHA256=949733019B82005EB30F00F35661988C4B1E184873DD13742815A2CB80BEE81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:40.599{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8EF5C5DBB9DE78579F888BA788E005,SHA256=5A5BD997D3F004C19916C40314DF8BC4FEB56ACD009A10A66E5FD0AA839B2BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:40.429{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:41.780{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357CA08AB220F38248077CCD332E005D,SHA256=FFC0FB53BD506E8142E6059CDF59C28D9C4613309BA5309889D2EB283D23B48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:41.601{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68ECC52FC633729965B6874BF2000B1,SHA256=64F1C51565AFD01E533B408E7C77C719C024FCCDF42FFDC860A42EF5EE8BABC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:38.767{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:42.617{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2304E8737906CA93379774DC8C2349F3,SHA256=2EFC277653292C2D70DA1C4560E7D0CFA7E67DC08FD06D46E35D78580ABFD51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:42.796{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0536D61D64C33C82A9B30C3CFBBB7D1,SHA256=4F09CF2E1A3AFDD34078A72D8C63340D61C545339237A703E10113E2E69FCE39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:39.982{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58935-false10.0.1.12-8000- 23542300x800000000000000040507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:43.812{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BD0E6DB21327DABEBE811685A3BD45,SHA256=D9A97CCD7B8D387F3AA0C81E810DBB2E691918AC5AEB7155329232C2B38B06E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:43.632{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4E6966F1AEE03E4BACD50AAC161BF7,SHA256=0D023D29652AD64AB1DBCBD2393BDD1F26437D3664090AC878359178CA1CA239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:44.843{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1642AA38DA3AD180EDA2699B876D8B12,SHA256=EABB62D8CE5739752299188FFBBD5022167D5ED43B2782809D9FEA8588E6B3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:44.648{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15326944A319B63B4A76DAF226768CBC,SHA256=7C11C699DB71ECBDDA8BD7A9096A93C4F3D5AC52EFE617074C11B7EA384E4EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:45.664{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198E0176816C49397E82E6000FC3C1B7,SHA256=52344E2DBAF26A82CA864DF5EEB95A9028E91BFE936D9EED8EA08A335310335C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:45.859{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4365509FB2F5A5550352662D0F6E8F82,SHA256=4F50A306B5D73152EB8C0D37EB8C35689FC0EEE52387748CE7B278043F63D170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:46.679{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0962E1A9E196565495C9B98EF1DD1CCF,SHA256=1381C5CDEAE5F055C4AD4E355B45CEE41028DD4633CFF1ADF7DBDF85D29F7781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:46.874{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F564E23E2B475C428DCDDCEE9EFE99,SHA256=08C87B92943B9095EEB2CD34B731E9B80C3B47D1E8C5EBEA25E3A1FE2ECFE90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:46.655{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E60DB110EF299E91B9CB818C32118F,SHA256=5925BCB5E2CAE9A956A8902FAE35D65DACA4571C511C8BE6011BBCF8FCE58EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:46.655{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2D14E88B1EBBDEDDD59D987D7BCD3C,SHA256=85D30CC0F3771F7E6182174CC4616A54A352AEB97465C6AF9FB7B043CCEB9291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.890{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB6DE768C71485EB4FEF9AC4BB4512C,SHA256=FE6D8E03AE0ACCBE850343D18C7670C73507BE31737BEEBED0E380A3C5EF7996,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:44.724{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:47.689{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C4FDE11E4EF8431E28C5F7360B8627,SHA256=80C37E15E15F2879B76BE59B560E77316D1773F0DF2BD3B87498A03C48DE8F07,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:34:47.499{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x800000000000000040515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:34:47.499{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x800000000000000040514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 13:34:47.499{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 354300x800000000000000040513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:45.092{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58936-false10.0.1.12-8000- 23542300x800000000000000040521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:48.983{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1C98FBFAD8E776C37673FD4C09EDF0,SHA256=AE4A94E34083634EE2C269690F14D368F6D5070C12BAF37F7D44A04926DB614A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:48.705{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8450526CA8985F88DD315070BF9024,SHA256=ACC4E10CDBA42D8C5BE94619B7A07AAFDDA541D4748505CB544CF3D2FCAE4979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:48.530{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E60DB110EF299E91B9CB818C32118F,SHA256=5925BCB5E2CAE9A956A8902FAE35D65DACA4571C511C8BE6011BBCF8FCE58EC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.359{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58937-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000040518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.358{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58937-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:49.720{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF83A8154EDA9A8052278492121C5E8,SHA256=CA205CBB8E5DC1F287A04513958D1D08B00216B74455CA74977EC055CA653209,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.393{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58939-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.393{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58939-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.380{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58938-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000040522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:47.380{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local58938-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:50.736{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A7F7F7951E63A436A3E7467941232,SHA256=EB70F186903D6CACEC46FC2E167D6832C27D976BA153EDCE708A26EDDDC9D22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:49.999{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8932ED7A25338E54A66A1B66EFE6609D,SHA256=A60F87D68BB0F6CFE62DD77EB0F3EB53C62EDC74BFA48411607E9237D1119067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:51.783{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4143233949AA62718AA63D2860FB2700,SHA256=C50112E8D515BA0F6C67162A53616E36A765F63E1340ED4A160DF16F36B6A50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:51.752{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C021CCF09E595EC3C4F90143EFDC70,SHA256=54D546F8786A86BBA79940E69FE99816103DB850ADED0B9AC225E0517E5FABAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:50.108{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58940-false10.0.1.12-8000- 23542300x800000000000000040527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:51.030{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF047D237CAF58B0E17148D64BC2C9B6,SHA256=8FB710EABE2D44B335704A1E39A2B4FDB1FB52A1F87061CFF0D69BFA8ED8B3B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:52.767{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9A494C00A78B76FAE74BE16EDF783C,SHA256=FCD0DA39ACEDC50FD4FA461ECADA282A2AF636E1CE53BE70BD1D7D7F29BFCCEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:52.233{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30B0EF832DB5CD3CF340CDB0EECCC11,SHA256=0FEF625F190C7110CC4DF157EB6331046670200683803D91F79656F48CB16E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.814{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB3A03941D0DF5EAB9DE42DD623B222,SHA256=3040768B2AABE2C6CB402F35C90E2F075A7228C5FE178E7A9E532AAB787CD2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:53.249{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2FBC1F29ED96957BCB259836366C0F,SHA256=9691DB8814D85586D5E51DE22A5F1A2575C47786A92BFC1BEE942EDD5A2634CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:53.767{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0066a3b2) 13241300x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c41c-0x8c7c3bf2) 13241300x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c424-0xee40a3f2) 13241300x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c42d-0x50050bf2) 13241300x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0066a3b2) 13241300x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c41c-0x8c7c3bf2) 13241300x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c424-0xee40a3f2) 13241300x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:34:53.298{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c42d-0x50050bf2) 23542300x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:54.830{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1F08B8C29DF335778E8662FB8C5FA,SHA256=FB829D1E386127B39007C5F83AFD7EAB8D3E3D6977D943DF34F3D6DD50F931B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:54.280{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B423643112D47EE7F3950155DBB168AB,SHA256=DE1DE1D72CA91ABCAA3937A55513CAD4BA001E422593A232D2C75B788C830E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:50.656{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:55.877{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952839625F5EA815FFB85F8E2A9B4EF7,SHA256=9AB6E40162C6CACE0F682D9C63A44FAF93259475B0365A2D67C931A77A690179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:55.311{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EC3F34C319E00EE488276DC2CC03FC,SHA256=DF7DDC6420E06B4BF83D0EE34F1A5C54D87B1581BD55CF001AD8E3F66E75AD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:56.892{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DEFB0E7B6BD665364E2FC2FF553358,SHA256=C52653E5B116DA7371FF7409D08B5FCA78BAF55780A92E4A4C2DD3AA3B5447F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:56.327{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7CE89F58064D7E3CE4EFC5AA30108B,SHA256=46B655513B48B758E293FE87485CABDE37AB2BAF63D7A6F629363365D9CF42F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:57.908{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CA4DC984C9EA51354555E778AE09DD,SHA256=3DACB42D0F19A94563D1EC4CA9793262209DE787980C7F8BCABB5645651E1E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:56.061{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58941-false10.0.1.12-8000- 23542300x800000000000000040534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:57.343{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA2B273A60070D50CCA00E9CB1594C8,SHA256=26C6CCB3CFFD2E7F6895E6AC1A566B2682705FDD4E4BB2F727EBABA3D3571434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:58.923{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA45687B396714C12FBE484E56AE655,SHA256=A01AA6C808F7A7A9ED94427B89062D496C6EC3C724E796DDE4A89C784AA9099F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:58.405{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D866F2C8568C3DA7BD874DD4310AEA,SHA256=82D7F9924AF6B36FA27483E2C65CEF616D57C84082110508E42D0A1E6615745A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:55.765{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:59.955{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45EAD79F835AB5883C8FB9438882E4C,SHA256=7658D874147D79A0304CF5800C2D13041C6799D25D692398C5650C05AD89E2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:34:59.436{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343DC651E41CF6CF9F97D30DBD5A401B,SHA256=C89C31C710D783C1ED237B41C3CC3CFC084880BAFB4C38B42CBD8976E93EEAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:00.986{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B475BA2719ECF8F972482BAC28F7B61C,SHA256=328012053422D3E6EA957A1F827FD4642134FE344546943FB8922F817BCDB347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:00.452{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905366F190631EA30B9D9BF37FD92471,SHA256=A7CBEF8FD0DDEB6AB5657545FE65DC0A6E80A1C48AC56DB10A9CDB611FB4BB9C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 13:35:00.080{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c424-0xf2b91ac4) 23542300x800000000000000040539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:01.499{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14444DC99DB6DFA655A8240F1818C79,SHA256=6A2DF3AC3621F7272B95D2A392423C7BA9C8F9CFC39DB3FB6DF641F0B4EEBE12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:34:59.623{6F8252D3-5DBA-616D-1200-000000000502}288C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-470.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000040541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:02.671{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8BDA937F301A9C536B499C8789FEF659,SHA256=78C745ECB4A6E08FA49A4C9B10BD413A8EB6E624437B1A7ECBF7B1E8E3721D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:02.515{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB5F49D8C6C355E45E321FFFCC44481,SHA256=9B47D277EBA05DFCC744E879DE60F30B15A4D789AC5A1F7F7A65B0CA428CA057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:02.017{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90A302BCCCC711DD8D227ACF7915589,SHA256=09AECC544E61A0901E4EB175B6569BF4B26D9651E0F8F83A51AD3DE4D178925A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:03.530{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D10C1C75E47C15CF025874422D6ECF,SHA256=E690026E3BB910724FEE18FFDDC25D4D4BD08A9E5F3852F67CDDA0EDC7455DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:01.379{6F8252D3-5DB7-616D-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-470.attackrange.local138netbios-dgm 354300x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:01.379{6F8252D3-5DB7-616D-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-470.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:03.095{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A1748117C0E84D79FDC29BE2D40F5,SHA256=33EB2ED97C33544D2DDF3F120BD3E47B10AD9F23ED7CC91CDC2FCC60AFDE67EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:04.530{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF719CC80E0F6445CE522736DBE8514F,SHA256=47826C430F579CC2BC3AA11D36E653BD89F31536B360446390094BCD4EF62B2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:01.796{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:04.142{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F121320B60DB3025E61B6F8C59FB5D2C,SHA256=3FCA617AA347BEF3BE9AE6E99C26E394E26948DF5F8998D5A0D9BFA6905BD325,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:01.984{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58942-false10.0.1.12-8000- 23542300x800000000000000040545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:05.561{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31954A4DB8DA64B5F39866F9DE821E3,SHA256=6084196B7C24C611D0997C60683A7E971A45CC80D2610183F73D6121C9B56871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:05.158{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A62A9EF69578CA146E3B455A9D652B7,SHA256=7B71C9332BEB61C836F3EF7994A4A8009F2A43C80A2179DAEB49F87D9606155D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.844{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.846{8D4DD44E-780A-616D-F208-000000000402}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.577{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BB0CF381D9FA11CC23905CFECE8174,SHA256=77A307D232CD4B41FE2B02C14A1A0C99E983FC560FF2F4D20B94FC361E2B2E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:06.173{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0E91AADFC58EDE4F28D33DC4880A9,SHA256=78C894A074A4E0BD5CA9F81C56445F764EFB05AF1C00BAE168A3F60D5B2B3CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.296{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:06.297{8D4DD44E-780A-616D-F108-000000000402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.687{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CB155FC55E05D198DE0BC6DC1557B3,SHA256=66580B8D6B2DE982895D768A9E1A1D0DE221652C91A5BD0C286DE44B40789905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.609{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.609{8D4DD44E-780B-616D-F308-000000000402}9124964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:07.174{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C05CC28F1EE87F72BCD89B0BCE5332,SHA256=FE698D39A393026D0A62929B285859F1EDCDB1F87A951EFBDBCE01C9F2F57D0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.470{8D4DD44E-780B-616D-F308-000000000402}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.422{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38033FB326FB008823CE7191B0E174CA,SHA256=AF821F151F85A370DD25648B8BDB4CE24C4823A683AC41383032F632E744C3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.422{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F69FF45BF19A0C56F457C39E2E49222,SHA256=A21434A2313BF40811DDF56374BA7A6C33EFFB5F86D3DAB13F5BC1F4487995D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.687{8D4DD44E-780C-616D-F408-000000000402}20364988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.625{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD818339A555E5748AFDC1B695787351,SHA256=59DA3292F8238F1ED4F76F779AC4F9C222F47807F0CBAC86A9EE1B28E5DDBDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:08.268{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:08.190{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF145DB7BB0AD057874FED6EF0DE7FC,SHA256=C37ADA7CC3271A846AD9DA9444E43111BD1AD38D33548A1D54E63B689755EF7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38033FB326FB008823CE7191B0E174CA,SHA256=AF821F151F85A370DD25648B8BDB4CE24C4823A683AC41383032F632E744C3FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.531{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:08.532{8D4DD44E-780C-616D-F408-000000000402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.969{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.970{8D4DD44E-780D-616D-F608-000000000402}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.719{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB6EE90C3CEDD41B036C53DC6174DF1,SHA256=45526E5EC98629B364EB7CBD23E7430A7F417C5D8B60111409FB5AFB85866FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:07.812{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:07.610{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:09.206{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD93B3E44DAC2755F2CBEE75742015F,SHA256=2BFA4D4B9BF2DCD21DD18181BBD203E52D0E17D72AC5B91585EE9BF1818855DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.547{8D4DD44E-780D-616D-F508-000000000402}45201932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.547{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A24C76792EE6E04BDED8AAA1B5F2D17,SHA256=BCBC3AF66DF25D5DBF2330B1874432565871B51699BE350BF8239AC3DEBA688A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.390{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:09.391{8D4DD44E-780D-616D-F508-000000000402}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.469{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58944-false10.0.1.12-8089- 354300x800000000000000040607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:07.030{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58943-false10.0.1.12-8000- 23542300x800000000000000040639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:10.765{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19060270D93C8000954B954CECB6E91,SHA256=A540B35FE5DAE87F72FC3D34DE40CCEEBFD6C2EB6751E67E987669BD81755F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:10.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9C7AC5D153A7C7971AD69D86DF74C0,SHA256=E088692CFFD6DBA2D46D7965AD4656CB4B777CD21A2C6E7253248E7AB441010E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:10.203{8D4DD44E-780D-616D-F608-000000000402}32204860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:11.797{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFA13BD8AE3EC6E8F5DAE959ACBBF0D,SHA256=5002BB19837A6F0E07BF6D123C0089A1FB16F9106E7014DDF219BB16C89C2EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:11.252{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2544B878F5EC8150387814B6BB7520DF,SHA256=F46014C2CDB6AFCEF132A0C2F8D939C69716E70755A22EF2911E4D63038943B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:11.172{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5C14F01E2F285236A004374DE41A81,SHA256=EF7823A31399CAC0AA973D400100B2D7C9B84EFF9A90D4D9489D5E1BB1D58BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.812{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCCC3F01A00FFAD1D795416CC710DE6,SHA256=5FE6FE59312F0C39644121F724CC82519EE7BDF0FC5B2A2DEEB4C3B3F86FF20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:12.268{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEE4124B8E343397118434EADB033DC,SHA256=7B3FB6E6D960D088719C14F3962579FA70A5EBCC551BABCDDAD1E6B6C424AA5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.078{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:12.079{8D4DD44E-7810-616D-F708-000000000402}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:13.299{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65132E5B41DA968A17C5D43D65DAC48D,SHA256=3BDBF35C1F0B7456D3F4E2A4881A6B591E98EDE371EF52B36AF75DAE674273F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:13.109{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B069C4C448EAD719EAC7046B6FCED1C6,SHA256=3DD953C35DB0631FA9D5B26E0A8F32F0E734C33CEEB54EA86658883E39BB943D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:14.331{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA02DEBFF1E69A7FFF3AB769DDDBD642,SHA256=B14BE7CB2AC4F22C7C9027F113CB92ED9C0719D7F08D9A76870550CBE093326E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:13.077{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58945-false10.0.1.12-8000- 23542300x800000000000000040657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:14.047{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBCB3C9FCB04253B4AFA16CA2D71E72,SHA256=3D47B57CB36835D215295FEA2233863E45BE81317F5991270E879ACD4FCADC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:15.062{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1612184BDF89B5EFA685797DFA0C63,SHA256=0C241AB7D0FCECCB12FF0EE956462DE2A92173A4C36BABD4511950C71EF8CBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:15.424{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DBB99DA8761F1E7CBFB817E994292D,SHA256=09E6C25EE91ADBD146A07EF0059ED09357C67E843C84A72F76440DC0A01E5EE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:12.797{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:16.297{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1B318CB1CD4A8DA36A12F552D260BE,SHA256=ABFD49C76E676313BABCA0208A30CE3B3699409E2213EF83DE30B63E67E86EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:16.456{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C876120013A63BE4BB6E32DB422A14,SHA256=DDCF0D0EAA2D7EE4D440EFE918158294C28FB03C985A0872EA5BE05A9B099BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:17.471{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DD96ECF0EC5D713154C9102A21D366,SHA256=CB6B417DFDDCA9B11EE0F1499C14D5CCA054D7F6F1F17A1215F78F9A0B0032F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:17.328{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DB181F13D9F9F42B223339EB5CE50E,SHA256=18FA2F2A42D275B0782C1B4B5FC4AB6C024614E37FEBCBBE8A055CA5396CD21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:18.487{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AC8E965F8CBFAC64F1EB7BE26BC117,SHA256=43C58E0CA37756B802653D73EFFC569C95135EA4D4238E38F91C35B61AE9BABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:18.344{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DC535A839F2A9AA965659A41FD24C6,SHA256=AF86D774C9CBA8F1EB81208BDE277A7983E85D0A94962AEE1142A754EF65E53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:19.377{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76067CFFEDEA942A6D78956976234E19,SHA256=176E28D3BDC65848087C97ADF3213889C762CF4ADDF83FF9173354AADD2AB5B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:19.487{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C36162B6E935CF9EC30A05C5F8F700,SHA256=310BF5DE65FF7F98AB18A147FBF4627259A605C4034885B1F39479C81E7220BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:19.254{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-117MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:18.873{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58946-false10.0.1.12-8000- 23542300x800000000000000040666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:20.392{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558EBFF946565A3F9425E9CD9D69A302,SHA256=4BABA3AFEA9CB70F40FF080E64F04867B272E0413D472B149D8A2A318253A10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:20.502{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248F850F87B0E532B3D838632C03CD2,SHA256=3A5B8F930B72A52ABE51E111B9E8AA38ED7A3012BD3B8A18FCDAFD1DBA43A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:20.253{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:21.411{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC832599536F03BCC2ECEFFBD763E956,SHA256=DFD9ABD62BC98BAED1618A9527A4D0BAA527B03481335FE031AEE8532ECE2454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:21.534{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E13B23D6197E8807B75AA18F66DF4FE,SHA256=F78F5F110845BBC8D48ADB7E30594F813B6387144CFA8811C19F568C15DF6572,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:18.703{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:22.457{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1C502931CB80EEF54881A193B9BF69,SHA256=C7BA63F402BFBEDE5A24276AC08366629B1B572A3BDB9515BBBA1270CE5571C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:22.549{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871E3AB1CABF243274EEEB6F66C80B9B,SHA256=EEEBB1DCEBBBE29B939C85BBAD1995CC14A0E487A9C406DE095CF60356650266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:23.565{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C333206BE9348878322D6DB5A0EC6736,SHA256=50BAF8357F042EF4CA72DB3BD21FEF2CA8C483C3A9AAA016367D97DC581A7BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:23.536{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED3E4D3154E42B2DCFFBECE8DF21E1C,SHA256=C74EB447BE877F8E065988A62AA958D783CE5D1117B28D0000A6A4B7FBA726DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:24.536{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6FDB6E813630C3BAC7D4E62AD75730,SHA256=37229A61DCEB9AD7647D6A6E89B7FAF29A305B6C6627C200102DD479CBD5D38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:24.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AA55020005CD68702C46BE8F15AC4E,SHA256=9C49069EA3195414CF931273E515F345F9AD9DA211C84FCFB9DC952190460E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:25.598{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE53824A4A64BA15FF30625313C1FCC4,SHA256=67F285401DD0DD25C9B0DF402F5BBC775DF70936519878F40B9CF8F93702FDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:25.643{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B59949AE58D4B5898C8C5F1663BD08,SHA256=A06ED6DBFD95275D7C6401BB4686C0E669EBE6138FC5036DC0765F04D36E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:26.676{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0B0C28AACA3CCDA620D3C22FAB13A3,SHA256=596C4EC4631A02FAF4E3C06CB4E6F89D1E094DEA8D5A67DF1AA268924FBEDEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:26.659{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBE7A4A282D83B84B1E4626AECEBAFC,SHA256=D740F02F9E22849F590D5E8ADEF5419817995E4C7125368D7B95F44275A7D452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:24.034{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58947-false10.0.1.12-8000- 354300x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:23.765{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000040675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:27.770{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCE9F8BE34C59944E57C6DF99CAC8F9,SHA256=832AD37C5515CDFD1E9930410841D1B20440BB4FF1EDF1A1F1B128BF769D21D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:27.695{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F5548150173B08F213ABC0AAEF5BCD,SHA256=153DC5E6D287E2E55552300D0B090ABD2661E0A01238FDC199BEBA5AADCE0364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:28.786{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7973A197ACBC4C860CA1A3EE8BAB5717,SHA256=19A770AFA4BE5FE1E3EE2B6EF201F0876ACB26BDB4B9D1D5F04BA54AFD527DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:28.711{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:29.802{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653B962C216B66B8F68C482C379C2642,SHA256=6A05F2654050A80269B58EBF8C7FF52B11B4B742B2B917BE6E959C4A681BC1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:29.726{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:30.880{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173494C9817FF4327291D4000AA8C31C,SHA256=49CAF5908F8D6B15B843C0D1B59355C9447B5B16C41D6451FFDC0CF2E84922FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:30.742{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:28.770{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.929{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.930{6F8252D3-7823-616D-B806-000000000502}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.773{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC3DCC36CD5719BA15912C3CA1ADE1C,SHA256=A599B79C58A2B1044907C6CCAE933D47B9B2EF0EA29CAB0F59B737CB19348F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.414{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:31.415{6F8252D3-7823-616D-B706-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.929{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD2302CFDF15C4F20022E32352CABEC,SHA256=2B2E0B5394B180E7B12614B5C985C69D5D5329C33E2E6B0282317A770FB1DDEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:29.988{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58948-false10.0.1.12-8000- 23542300x800000000000000040679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:32.114{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D9DBC2F622F913C670E2A0C850E5BF,SHA256=8A91087F926DE8D76B67B654B90F860B632769B466DB3476FD0752C70C1C19B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.695{6F8252D3-7824-616D-B906-000000000502}2752724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9E5CB27A643CE52793A9CF986B583B,SHA256=C9D0DF34BEAF49E60B0C519E76C65D87C2775795582BB76B1968271B3B7082E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A61C7A598D2F0548CDF301EB78E54024,SHA256=71781DB82E7E4F2C03E679A0EC9B09B84B1AB2E5C13B46950801A44D235F3CB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.429{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:32.430{6F8252D3-7824-616D-B906-000000000502}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.945{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6285B267A46CC7EC299662764F5589CC,SHA256=2302616F0E6BC20145C69C50D3515B72F07A92444BEC397F1C681E0242807A68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:31.910{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58949-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000040684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:31.910{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58949-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000040683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:33.177{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF75E10F894BBC455232DFFEB4EC9F4,SHA256=3E4754275413698375A0BBA5D361AC2585C256B68E4147CC169E1B06BD778883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.774{6F8252D3-7825-616D-BA06-000000000502}9921700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.554{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.555{6F8252D3-7825-616D-BA06-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:33.445{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9E5CB27A643CE52793A9CF986B583B,SHA256=C9D0DF34BEAF49E60B0C519E76C65D87C2775795582BB76B1968271B3B7082E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:33.052{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78AED8D31E2A170C5ED9F13AD4EEEDC3,SHA256=DC05F70D64C6D616691A85B5482D9ECBDD99E849E79782DB546FA6E145CF00DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:33.052{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9767922DAAD739BF0D0E3CFAA4A565B6,SHA256=C8147B49541DB138EED0AA1B47C31AD39DB66CD6B018EB83A1779B4EFDE1D816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.992{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261B60C5555B13CB00A2FC8E2EC1B460,SHA256=FB7142269C98482226D3D064E14666DDC104BEA94B70947F7E0CD6849A3A7BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:34.208{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C780C17471AFAEBB21DC14A8E7731A,SHA256=5841D57D61F06F86DE5F608A56FC56572CDC7CE0835CC2CC6AE2A92E4F580696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.773{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.774{6F8252D3-7826-616D-BB06-000000000502}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.570{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E886F24F4930778C415D4C77AC679529,SHA256=DAAF9A267CFD67D9125FDF27BA33B7DE2E0CF8D33837BED1F3D2DAF2E111BBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:35.239{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8DC7179A9315E87B6E4A86159CAED8,SHA256=7EC83A662E6214148FA7B258570528595F08654458BFD8F7D18953F93131C604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.789{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D128C205B3F32CA3ECEAF7B37BAADF,SHA256=D68CB1FF179A9327EB145FCAC589125CC30079322C1367360F402BCF3746DC21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.632{6F8252D3-7827-616D-BC06-000000000502}13164040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.445{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.446{6F8252D3-7827-616D-BC06-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:34.770{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.320{6F8252D3-7828-616D-BD06-000000000502}2748328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0C00-000000000502}7281708C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.117{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:36.118{6F8252D3-7828-616D-BD06-000000000502}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:35.992{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48BC8A0F96CE805D08031E3CC91752E,SHA256=3E8C5EBD2F525FFBEF46122383AF988521F4F671767F6723A8C4AAB84BAB25AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:35.003{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58950-false10.0.1.12-8000- 23542300x800000000000000040688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:36.239{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16605B59BB9E1B76C4787CE25E505356,SHA256=EE4209AF4C9B55C31FD43976FB8ECB712ECA1D5D920297BA5FD90FF49C1882B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:37.148{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C8596DF254157F5DF170BFF1BD91DE0,SHA256=FC215A0761E23F1AF1B26730E946907FC620FB7EA0BF7A7F5653EAA75A53AB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:37.007{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436D23DC1521C11C3CD043B85083EEC9,SHA256=85802DB72EB21DD5954927F04C0C366B147C4879857284F3033245EB71825B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:37.255{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E46046C4F2D29485253E74B8D99970,SHA256=A754BD970914624DD18873D7E72F2210AA22D6CAC79D80D3D8870251AE490F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:38.286{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD168063D7B81F331198EC17F1851DE7,SHA256=DE71DDBF4B853C058FCF8C21887C8BF353C6E4426E96754AC0A765EDB05A3459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:38.039{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B088956DC754E4DA99F77DBF62B71796,SHA256=E06E70CD322B8AC9A4BCDC3CE12C54299155D95A2C9F1488415FD2DDED9D191A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:39.302{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39385D4A7C7660BD7C7016F8BC3B1185,SHA256=1CC7F5262B11A5FAD24E3843833A26EFC609DE2003700C6E0DE778D40F41CCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:39.054{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BFD10749775E4EC10733CB7DAE832C,SHA256=8ADBADED87502EFDA632CBC1B509BB180980259EC7638861E704D94F39AEBF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:40.333{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C4523FAD7850FF4733FE507BB61691,SHA256=295B357CBA505F44B2FED422E2B8642145DAA70B0706E81530F28DF3627C7519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:40.950{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-109MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:40.070{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D167A0C61DEADB02F9E4892F5471D23,SHA256=DDF58F612D9D56FC44AC3782E521B2FF102A2E9647287CCD882A8618946E2FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:40.066{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58951-false10.0.1.12-8000- 23542300x800000000000000040694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:41.349{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC3FA67CB698FE5BC0895D5778B67C2,SHA256=0670AEB4A51432FABAA4873584042A27AC9EC253CE30E0F2C27A2A9E48CA856B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:41.948{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:41.073{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313A856AC4F67A95880ECE3F02E98E72,SHA256=8617308159C94A10B19C0325DB6566FA49FEC38084CC334A12A3A19EBCCE63E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:42.692{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726585AA579E530FD8E554D321A9F484,SHA256=2038C46AD8AD416082EF3B060EA02875D22A87C9A8830D7CE33DC575ED3553CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:42.692{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78AED8D31E2A170C5ED9F13AD4EEEDC3,SHA256=DC05F70D64C6D616691A85B5482D9ECBDD99E849E79782DB546FA6E145CF00DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:42.567{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3CE6C34891FAA24489A0653FEEC7F9,SHA256=2BD05077EED3C931B9A44B948B3FD725FF92977A4DC3D7B733FB9883E0AF0840,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:40.601{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:42.087{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9971C88C7C23EE908D40322951ACA30,SHA256=9A38C05E0930C500213DC7D281F9B502094F9774B7E4D6D307388604F88F76FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:43.801{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BC1B558EBB2DEA21F37345BB7D0B97,SHA256=22B5C151EAACA213890FE2B15D25E991DF7ED5B1CCECD7741953DB80B886584A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:43.089{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB139D7D14486285948E91CE5EC7D49,SHA256=335E992115A86768FF38625DB2251F81E356B344E3BF3CBB8D727A1642A14ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:44.105{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04C329C40EC9E08765884D001C4E276,SHA256=20EDDD2033447C74A2068EA6FA7A792D1E4EFE90C93C0A5FF7E95991C1FF7A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:45.105{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62A3C02965CBBFDC761B493FF48CBB0,SHA256=5007D31FA8509406928F085A96A967C0D4394179BE46B7E05ED49C49BB097416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:45.005{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90173415E7D14A85E803DD3331CA476,SHA256=EE3EB73FBC16A44CA59E96EDA4D55447F992E0871E0C25DBF828BA858448B6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:46.020{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C3C13B4D32EE8E8BDF7B4DF9BE75C0,SHA256=27B657662F15C3740F283B316B5CFC9D7E769163A7D4CF638EB556FD407A397A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:46.120{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F0F3D48FED5D979E19C48A58F93DD,SHA256=764A85E60FA0D56C8AB58C8BAA3B65601ACD7E9A153DE9B37E60390F7FE44821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:47.132{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0E18D19EFC9174C51232FE0B69B0F8,SHA256=9C2DCE221A412474E5A31E6F5ABF5435E0A4050F01B08DA8FA8849B030E2DDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:45.925{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58952-false10.0.1.12-8000- 23542300x800000000000000040702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:47.035{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EB24368F4A5894516ED3139D11BB35,SHA256=3EB2367FA1C6722ABBB537C43FC17FB1AE9E383EDC44B9D8AE62A4D5523C1026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:48.148{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:48.051{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280A11EB3FB243E4E401D567B5198749,SHA256=4BE44203FB1CEF9446650EA88A3DCE688A14BE64906D66DDBF26E14CAFE95AB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:45.773{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:49.165{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09912CEEF0545A401AE9329EB4A04A63,SHA256=AAD56252D77D0225FC5320E6552F860713CE21437F084483B7F7C18898C47296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:49.067{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06028C728FD931850C4D3D87BD258321,SHA256=8BB8C0ECAD46F4FC9D55097E9F25B5BBF6A1CAA3F4742B4DDA1FD13AE6B77529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:50.082{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8629B02D8C8E635287121059C341392F,SHA256=D802489869C751D55C10D206C03CF326ADFE83F8069ABF9647EF080C6E4F77DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:50.180{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57485397840B261332347E09E88216C,SHA256=922242EC292B3D5DA3360654BAF0F5F9FB0C9E1E4BEAB9BF860D3D55D7558A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:51.790{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2DBE0374B26E4520984C588A759BA8AC,SHA256=92A2EC70DADFD2531227867B734BD75708671063E4211EF0499AE2907FF0C079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:51.196{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B96182B98F6B04F030183FFD2363D6A,SHA256=F3D6FB9568A32E44A623A11CD95610832CE1396738F1BC9F4F4D91546E87E998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:51.098{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004985BACF4612FE5EB721734F7A2E56,SHA256=AB96FDA8938B41F4F9508488137C643931715F45CB5EA2B58152D31BC695FB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:52.227{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD758BEBC448F15C322E3A22729393,SHA256=E3046A6CCBF7D384ED27A7577D44AC152AA9043AC4C6B0AE1EC7F3E4EBC8EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:52.114{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37E3A0DFB6CB90D46DB528C1452DBD2,SHA256=44E9610841CB80687405DBC5BBFCBB7DEE16AB2DABDEF9A360A23D2A6D7F9ED6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:51.644{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:53.258{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB3DBD3C97CB317996C6B07DD9D36,SHA256=239AF3DE4161F904EF295BC626D145E733C753E88431B6319EB2C0C1B3CCDF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:53.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F281F972B3D73EE12CC0B5BABFEFFC1,SHA256=B4066CF74A3318392B71016CF1A7E098E21D071C5E1A00B6B981DE82C5D13D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:54.274{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CF1B664C28A109671DCC87FEE03D8B,SHA256=694F6FD0629B14D104DFB689876384CC9B5D07A7D4E1A4CEA92B97EF5D410FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.160{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5CDF946ED26625BEFA6F7B4F3A61D7,SHA256=E6F7B1D37B3891928C9F222829B36D00ADF893869A709387379DBF939A994DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4054AA2B09E3CB47DCF89D77A1695097,SHA256=376F47B602A841AF6BFD9FCFC427DB270B932EA745B395401BD51293DA2664D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8C7B3BF0150F777CC244FF5BA03E7300,SHA256=98DE8C70FEA7D627A9CF0647581AE3C5BB3B6C7842DDAC1048405DDC6C93ED8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726585AA579E530FD8E554D321A9F484,SHA256=2038C46AD8AD416082EF3B060EA02875D22A87C9A8830D7CE33DC575ED3553CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:54.129{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DE35EA9C58C818A77D6A5815BDB55871,SHA256=7B2E5DA595409920D6D939515F1171B8EAF84BA1E7F8472F72AF428808E3D6AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:51.909{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58953-false10.0.1.12-8000- 23542300x800000000000000040716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:55.176{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FBC57C8BC68CE1ED752D2B3B596D1E,SHA256=C264DA7E8FB7DB9EEC28898A7818194955CBFFE8C7C66D97BD84345E832FF624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:55.290{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFCE7D920CFBB91FB493841B40CB83,SHA256=A42DF885D751EB6BCE2F2E895BDD2160B35DEAFA71FFDBE580A1FB7EF44AD4CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:56.410{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E964DE5FBA0984659D0F6432D421F,SHA256=32080D0DF7E1FF18C04BD8B58551313A137CF81A7981CD8A147D5CF96B0E4D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:56.305{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A797275388EECE1282E06442F8D7B,SHA256=00DCB5487BCE5B60CF1BEAE01C1D90DE7E48AB285D1D6268242797FE5482F052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:57.321{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F386B2863D018C6D83648FCD6DE6BBBA,SHA256=00C990AF186CB6382D8E4E901F31A93E89CAF617E5ADE6564B292E416A86BEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:57.426{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEECBE61AE3B6A782C16C3CF7B2F3F0,SHA256=DF8312893129A6DB3FAD8A2EB312EFB33FC380F1C8D2EC6CBC04B55D367A027F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:58.337{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFFBCEE2B7ECFAB03E23E73EB55E1BC,SHA256=097A057DBD6ABAD55C3042AAE9745B85FE5F3927CB10A79AC1E5E171E5547CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:58.457{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC7E566301B69258C8AD55DB48DD924,SHA256=B1EAC981A3F4939276EA3EAFFC5883C0B997CA099BCEFFBD6B8F02C6EBB2A0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:59.457{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A0877F871B5B2FF479D94B231FBF79,SHA256=1FA44BAF26FCEC8403107B12A5B5B6418C99C56DCC32849F2F675AD77AFC771D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:57.644{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:35:59.383{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DE8F2554050C6AAEB1FC5F59EE5032,SHA256=322D314D3DAE11DDF83470C7EA0483F0CFFEC3E648BA72E9FC9BDB6F4893A033,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:35:57.003{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58954-false10.0.1.12-8000- 23542300x800000000000000040722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:00.488{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF168B1A27C4F82F0130455DB11FDD9,SHA256=B1A0F74CA9F17A8CEFFC94FB3FE92EEC7D5C38AEBAFACCFAD20E069647DD76F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:00.399{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694689F3F90B89E2FD05DBB527967A90,SHA256=6D51528067B8D600034B9E55A3133FCB7A536BFCD1EC75068DA7CAE6C9A57C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:01.520{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D16DA5FB8F996BE1FBA23C3627CB8F6,SHA256=13C0FF6C1FEB0AA686FE8A16768E7CCBB51AFE8E13E9E37BF67D82E911CEC414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:01.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0533DCFC96996F0125E89654A59AE30B,SHA256=7A22A0A0A7394172690420183158781A689D0079E3CBD6FD70736161901087EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:02.754{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FD20F5DCAA546A4D194B95F1F5564B,SHA256=C5D75486E37DDA31935B14A4A329BEFC74E08FAD20F5AF9770F56ABDC1DDFDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:02.446{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD58E5F95481C82CFBEAB12BCDACB207,SHA256=846F07DFC11530B495853EF62BACAB8C19229CA775F20B6807EC6D5887B0CE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:02.676{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=672EE76BEAA105A00B74D3D0A9A66BD9,SHA256=2D74EE8E2332D4AE1B76AA86D485E9B6635EB596B3EAEA5B7ECBA87F779035DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:03.785{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305BE6BEB8AF81CD1FAE61202DC94FBE,SHA256=914DEB665924FBC7B7991F86CEC799EC9ACAA3696FCD9EC08746E1A708CC6994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:03.493{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F222B61B8F74EED40CEC29EFF6352C,SHA256=4893F0E69F38018F29B52A23FDB3D72020F4F1A5C8E4BEBA28253C959C6285F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:04.508{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDE711EB895036E028BF0691156BCFB,SHA256=2C45FF4E01FDCD0AA18459C05074ED774C6ABA3DFDF6E25CFA386B6BD29CA8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:05.540{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A200C3C5079D0E90CB926C65BFFC82E7,SHA256=B5F01CE8335AD01902ED38CF65F811CDA67E8F5CB81AA492ECE846A23C23312B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:03.051{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local58955-false10.0.1.12-8000- 23542300x800000000000000040727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:05.004{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E09995B2604F7E4372B3153FEB828D,SHA256=7103FFFA03AAB4F950AD03B327969D53194E51DE8C6EA6848C28870EC120B72D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:02.784{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:05.290{6F8252D3-5DBA-616D-1000-000000000502}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.76.146-63813-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:06.571{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA12F455D33998E98710C6B3A88E1C4,SHA256=2B3C19740E5212DD9294E4AE4F01C1AA0AE692577240330D71EABFE4557E6113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.972{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.973{8D4DD44E-7846-616D-F908-000000000402}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.504{8D4DD44E-7846-616D-F808-000000000402}45642404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.301{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.302{8D4DD44E-7846-616D-F808-000000000402}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:06.020{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F5AB981E002658C3BD865533602E75,SHA256=701394EE7A7E833B9B18167049672C041903A5FA26C6B1D4F0D4D1B04B4EC598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 13:36:07.617{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17F035A33421AF422809A3FDED5AB65,SHA256=01030AE14BB95017686DD7B85DFDEE45E9355D0C7BDF94B7C59F45D2CF5FE43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.644{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-7847-616D-FA08-000000000402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 13:36:07.628{8D4DD44E-5BA8-616D-0C00-000000000402}8484312C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791